MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 22 File information Comments

SHA256 hash:	8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8
SHA3-384 hash:	07d9eddc66d9d9c489792c54b49c8f75e28727757ac7a9b73fef1d5ad7c654cf0397009d49004098e0bf4c8bb83eed4f
SHA1 hash:	09e5db9d9e3bce193eaf730275f68233cf93eef9
MD5 hash:	91ace154edf149bc6b2bc3a5225d8dba
humanhash:	batman-video-jig-purple
File name:	NEW ORDER-SUNNY 1000591600.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'013'760 bytes
First seen:	2025-11-17 09:48:54 UTC
Last seen:	2025-12-08 15:05:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	91d07a5e22681e70764519ae943a5883 (130 x Formbook, 32 x a310Logger, 27 x AgentTesla)
ssdeep	12288:Gtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga5Ts02a7n2xXCsG3+db5:Gtb20pkaCqT5TBWgNQ7a9j2a76S2b6A
Threatray	2'757 similar samples on MalwareBazaar
TLSH	T13525BF1373DE8360C3725273BA667741AEBF782506B5F96B2FD4093DE920122521EA73
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'644 x Formbook, 1'203 x CredentialFlusher, 911 x AgentTesla)
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER-SUNNY 1000591600.exe

Verdict:

No threats detected

Analysis date:

2025-11-17 09:54:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/323d8550-bb39-4ad1-9c7e-402d88d0f30d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/38459/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691aefaabdb0ec3a9dc2ac48

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint keylogger masquerade microsoft_visual_cc packed phishing

Link:

https://www.filescan.io/uploads/691aefa7ed04ea07cd944be6/reports/3e6d4e2c-3f60-4efb-8d30-92a7a6d281cb/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-16T23:50:00Z UTC

Last seen:

2025-11-19T06:37:00Z UTC

Hits:

~1000

Detections:

Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Auzenpak.sb Trojan.Win32.Strab.zkw PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stelega.sb

Link:

https://opentip.kaspersky.com/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d8619b29-fcd9-4fbd-8f0c-1a8a103e794f

Result

Threat name:

VIP Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1815174

Signature

Binary is likely a compiled AutoIt script file

Found malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

Verdict:

Malware

YARA:

6 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/91ace154edf149bc6b2bc3a5225d8dba

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8/

Verdict:

Malicious

Threat:

Family.VIPKEYLOGGER

Link:

https://tip.neiki.dev/file/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-11-17 02:54:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r66hfkseebq7y6luu4ac33la4r7ms3zi37gand6cuqae3s62m3ua._file

Verdict:

malicious

Label(s):

autoit

vipkeylogger

SnakeKeylogger

6902a0bb15fa92daf3e9cfd812886fc181b9c5a7261a99b0e825646c8405449f

SnakeKeylogger

82fc5ecf0a30f1049c72121337eacf3221927dd2ad9f1579e805658baca32d61

SnakeKeylogger

a6427f067afeb5ea5d886b905503ffd5ec44ee32dfa0e3f0a80a0008e1ace721

SnakeKeylogger

fa17ebbb5c72b5708788fcc382796919054c6b9c44448eb12e2a3c94469661ab

SnakeKeylogger

+ 2'747 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger discovery keylogger stealer

Link:

https://tria.ge/reports/251117-ltke5sgk3v/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d827c161-b88b-4681-8f3c-4ff72dce7258

Unpacked files

SH256 hash:

8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

MD5 hash:

91ace154edf149bc6b2bc3a5225d8dba

SHA1 hash:

09e5db9d9e3bce193eaf730275f68233cf93eef9

Link:

https://www.unpac.me/results/14ec5dab-26d0-44bd-8f5f-58426316e43d/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8fbc72aa4420/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	VIPKeyLogger Create hunting rule
Author:	kevoreilly
Description:	Detects VIPKeyLogger Keylogger

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 1e1efaf9a95e3f10ae880c4befbbacde3f7a78c68f19220ae068235aa5a9a598

SnakeKeylogger

exe 8fbc72aa442061fc7974a7002ded60e47ec96f28dfcc068fc2a4004dcbda66e8

(this sample)

Delivery method

Other

Dropped by

SHA256 1e1efaf9a95e3f10ae880c4befbbacde3f7a78c68f19220ae068235aa5a9a598

Cape

https://www.capesandbox.com/analysis/38459/

Dropped by

MD5 8e26ff6546b23c540db4b9afdf76fad2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample