MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
SHA3-384 hash: 1b46862cd29d3a90fcad527624afd18ba46dbaf3c249067a7810152b841fef6feb9d07388351698e363f14eda1a92587
SHA1 hash: 9eb1d26ff5b099ee060afd5d1b658eb59fab4541
MD5 hash: 73f983a8f863e04d5a382a0c9540ae59
humanhash: coffee-jersey-summer-avocado
File name:RFQ #115 - LUCID PROJECT.scr
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:741'896 bytes
First seen:2025-03-24 08:35:00 UTC
Last seen:2025-04-08 07:19:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4O+xlloFu0xx8EbnnNNrkSfoSFKtp5ZDzKMmAMyO4kNem/JWO2SohcwkR:47lwxxhLESfoQwfZDuLyOzEySc3
TLSH T13EF412051659D903C55B1FB829A0C2B263F59EDEB910C763EBD9BCAF74FBB200184396
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
RFQ #115 - LUCID PROJECT.scr
Verdict:
Malicious activity
Analysis date:
2025-03-25 06:00:13 UTC
Tags:
raccoon stealer snake keylogger evasion telegram netreactor
Link:
https://app.any.run/tasks/01949d7e-27aa-4f1d-98f4-67edd02f657f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2470cbb84e066269ebbea
Tags:
kryptik virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade obfuscated packed packed packer_detected phishing signed vbnet
Link:
https://www.filescan.io/uploads/67e119791ccf9586bbc51707/reports/b1e54f2b-02fb-4bd4-b74a-ff7a08d1b384/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
Result
Verdict:
MALICIOUS
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646821
Behaviour
Behavior Graph:
n/a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-03-21 08:26:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnwhfdl27fsnri25krhmg5wh74ln6lzstviuzavtculuu3n2biuq._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250324-kg29ravtbt/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/5d5a2b33-772b-45cf-9d8b-1a6b7c9530fa
Unpacked files
SH256 hash:
45090736995073d956f6d1d7492a48aa6aff25247d44367c462d98acc416b8fa
MD5 hash:
f0dc051742401253a4b4b9ae8fec75b7
SHA1 hash:
03c822d0169724340993b2ae671e749c1e2ee6ba
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b06ca61d-6c22-4d6b-ad99-1bf99dfa0413/
Parent samples :
769cba836f991b58e8f70ebecb20c4e34fc5e1d1fc7c031b8fc704f43676d83a
8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
a6918f34f6ec6b61354a88f4275de492bf08ac570525b76e40c11ef377c85718
c82c8f715142e8bb457caeef673c059332a6bbcc4dbb9c5648b5af9228fffda7
9dea2c8077ef669f375ee39b3696212613965aa7abc9cd511260700b274fb52e
ff60ffef67945adacbec3f49fb146e1813d552d4477a74714fc6f0d951c9c5dd
6d085e9fc9f8b798a52545a899121da1c6415a125f0adc9c056e5c162143f413
cf2142b71c02cebf4aca8910971c84f52b7692fdc6c7bdccebf8c93f6c9aca1c
SH256 hash:
9b0f60c1d5e3739dc73978d61625cc255a912c02d742e7b7fa16af578e94986d
MD5 hash:
815089b7ca4f1232dd87c7a88cddea33
SHA1 hash:
5aec6db1efc2b456d3ea52ff85b4d340819020ab
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b06ca61d-6c22-4d6b-ad99-1bf99dfa0413/
SH256 hash:
154eca60b75a080d4fc22c84f35d9c867b6c2a3ed608978529ff52c94e7eab4d
MD5 hash:
c31a766f09773c569b6fcaf26cc97a2a
SHA1 hash:
659cc61928fd675fa45a72361fec55b96bfec05a
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/b06ca61d-6c22-4d6b-ad99-1bf99dfa0413/
Parent samples :
e7fe1c2591b10ca2955cedfc436c2cbe554e7183160cd7d340688ea857fa27ae
96da4b8d14447d80f32748bfe57478b2aec51c8c2b4762d6934829a13040d97a
365a64d31e1b6981e3be8d9bae05ee95e3d0dd46e0329e1bff35c74c810111b0
1e2143b98df22081eccb57ead02a1cc5212aee0b51ac4ee89e858f4a62ddb3bb
cc40ff4d1e988abfed4e517c8505aad995cb8a3315ff1baa7ec6c352bc44983c
79c1989be0f722072b944cd12a158aa3c4cc59e482846bb3fbdbf5b6667840a9
a9d8843bb48d123d94742275be98648fee2262d2af1c4b987d46cf10c9ae4398
c822084a8f1aa34346264bea15d6af68a8c1bd85a3eb2a80b5cd00085da29f24
0c52e638e751092ae2eb5818e52929052a7d527d8be99f9a97bf783f648e2912
35423fe7c19b606f2b6d4aad403b2ed9aefafd2dc09ffcc1582acaaf71fb282f
593e75e6e84def8dc80ff0d88136dc00335c465b414253bc19f99cbaded794eb
8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
41090020877332eb428cba81fbbbc3686a8e12bf0cf499902a8a5d2f53c4caf5
5909e27a896820bada06d37fa535a94759f336c7f9b07cf5202346c2d6e0e5d9
caa56d33ca9d08ee531040d6e591b20a8f7bc671a02622ad6fa5f609af5f5a32
SH256 hash:
8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29
MD5 hash:
73f983a8f863e04d5a382a0c9540ae59
SHA1 hash:
9eb1d26ff5b099ee060afd5d1b658eb59fab4541
Link:
https://www.unpac.me/results/b06ca61d-6c22-4d6b-ad99-1bf99dfa0413/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b6c728d7af9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 8b6c728d7af964d8a35d544ec376c7ff16df2f329d514c82b315174a6dba0a29

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments