MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
SHA3-384 hash: c37f832298e36d89404a07e08cd015b7bbd6f7c316520a4b437b2544f722f2e47cca5a8c7f6658d778fa9996debc1070
SHA1 hash: 7dd7c7be497cda8253f8826e2da858cbc9f099c0
MD5 hash: 58b24c9990e9c8c999287bb7c5880977
humanhash: spaghetti-speaker-iowa-butter
File name:8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:751'104 bytes
First seen:2025-07-07 15:13:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PynbbuZP1vdet/ntIM4lR5T6usq1CMtEyENN/GvcDG7oAT4YAmDXmj9:PynbSZy9tIvRxsxUA/G0ezLmR
Threatray 3'399 similar samples on MalwareBazaar
TLSH T1BDF4022A29A384D2D0653FB48993C27849343FE65973C3DABFE53C9B3D348519113766
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 1a71c0aaaaaa0203 (10 x Formbook, 2 x RemcosRAT, 2 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213.exe
Verdict:
Malicious activity
Analysis date:
2025-07-07 15:17:05 UTC
Tags:
evasion snake keylogger netreactor telegram stealer
Link:
https://app.any.run/tasks/50cb5624-a44a-4d12-8677-c3c71f0a93e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13265/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686be453900df8e7f8685431
Tags:
keylog spawn spam word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Setting browser functions hooks
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.07 Win 32 Exe x86
Link:
https://app.malva.re/file/58b24c9990e9c8c999287bb7c5880977
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213/
Threat name:
ByteCode-MSIL.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 08:47:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=res5odqhwtwpuqmtvlznhzzgjgtni6k5yuz4gbjarmmbuofngijq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
66f078e58ebd64a0dc663e8b45e21469d9b7b020b130d7f4bd31de6de4a4ce7a
SnakeKeylogger
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
SnakeKeylogger
d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d
SnakeKeylogger
e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11
SnakeKeylogger
error
SnakeKeylogger
f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0
SnakeKeylogger
+ 3'389 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250707-slxttsgm6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c0ced147-e4c7-4a93-b31c-a7ff4e01539e
Unpacked files
SH256 hash:
8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
MD5 hash:
58b24c9990e9c8c999287bb7c5880977
SHA1 hash:
7dd7c7be497cda8253f8826e2da858cbc9f099c0
Link:
https://www.unpac.me/results/fb55380d-311e-4be9-9950-b48b208af93d/
SH256 hash:
080dc1fbb7c8e11058f17eb020b60de7c1c21a9f08b955dc7cfb74d88d1071fa
MD5 hash:
e0ea65adb4d2f367078a1ee2972c680b
SHA1 hash:
34d35ab3c322f27c041a6f2b747779aca70ddc62
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/fb55380d-311e-4be9-9950-b48b208af93d/
Parent samples :
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
e164aa93521e044a988d12b9f9c996a602d473a94f7b9ea910cfd7da820f52a6
7fea3f280f7aed3bf963dd88226ced21fedaaee1c2f7e0bdb7f5bced416711dd
fe8abf598767162b0eb16dcf51205afcfd221eb2b2f23f32e5b286de19561df8
4a6dcfe4dfe7d02d44962cb9e47d87d6d755d0a9481a8013b145eb674ba567a0
368c3f4373be7b2de2adb08b623315e12d69d4d3f174c6a5d5b3e892a85fee51
62bd1a4886eaea5b5bbd21eea90540913b0a7a573305b0eb7c58cc61e93ecea0
d70b075d8b89da01a7990219aa08a64cfc93c5b915ac3217fc26c412e4f11122
e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
SH256 hash:
16b286e265bf73d9306fdcf18b6af9aa68bcd5322cb250cb66b1b14a220c88d6
MD5 hash:
9d1364afa57b30b1f4eea413809f2d08
SHA1 hash:
66bc8a0b0e37e21dbb5fe5a2050e2522391067e1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/fb55380d-311e-4be9-9950-b48b208af93d/
Parent samples :
649facade465ad92983e7f91f592eed9b04bd84bb4d2d78fcee013dd004f8758
c401d93c025614d076cdc77495da4b3e534557b4d3054ddec1321b5ed821c7b1
0399cc610cf9002129dfd6666006b3c1469fa796c19e96540aed28cb4e9689c6
8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
15b92edcf23a5909fe0e197a24cf219a28478c5d4c4c129fbcf776b02ac4dfe0
54a1a02cc4666d12264ad46491d6b29ab6606b1d9bd61ba74545a0286a6d64b0
1fbbd76779084cc1c6abdc0589285d263f1cc021c7977e7f9fef6bd4db8ab892
024e0ec6668fa78bb43f5d05ae30588e82c4429fdbf36034cbdd9895aee4e458
e103bcdfd02f8bd71180c91e1556399164982ff533ebbfe1e1b5c0b3e96657a4
e5d4ea9320972fd846b5e00cb7d3b36d1877b6e80733c3846fb9a8eda3606170
b818b605201bf6f9f32df1b0a0eafb5fbb560d17b44ebcef93be9be1c607238f
b58bbe7af3c222792a084491fa7aafe763a8c8c60b7795b1b06c0011e087d23c
8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
4b41957150ba1873f1b450400ac2bf7d88c96acb6a4bf01c5ffee306598500bd
SH256 hash:
2bcc42db485a9f1320e7d8940dae5819f2ee682ddd09e27a93d462c93150d265
MD5 hash:
96b55c84e13b020c1092628702be3d09
SHA1 hash:
de04e17c291ef564257022154e7e037d6e72ca92
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fb55380d-311e-4be9-9950-b48b208af93d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13265/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments