MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6
SHA3-384 hash:	06504a42d35a8a63c7b7ce9e4aa09ca35dae3dc216eb7b77406a5e25d830e026ee23e7848b3dc71a5b28eb033f35b5ca
SHA1 hash:	f09a906875c0f218a67ba0a6996696ef851adc59
MD5 hash:	65aca0cc01bdf5713286f6c6159179a1
humanhash:	april-four-jig-aspen
File name:	purchase order.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	584'704 bytes
First seen:	2025-06-27 10:38:23 UTC
Last seen:	2025-07-07 15:22:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:IjbuSxRTB02Z59VJu5SWu/Ifv6Pjtd59T2JYoeMa:IjbuMjNZ/Ifv6PjtzJr
TLSH	T148C4F0569653CE02E0A71BBC276AD1752A326FDE6821CB0F9FD23DD778B73851290B01
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	a8cccc949494b4d4 (6 x SnakeKeylogger, 5 x AgentTesla, 2 x Formbook)
Reporter	maciejsrocz
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

purchase order.exe

Verdict:

Malicious activity

Analysis date:

2025-06-27 10:41:34 UTC

Tags:

snake keylogger evasion netreactor

Link:

https://app.any.run/tasks/aae37b74-e076-43f3-9abe-ea45a0d395bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/11344/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3323.18712.9635.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685e74db37c3436779468b1f

Tags:

snakelogger virus krypt msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dotnet-loader entropy masquerade obfuscated packed packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/685e74dd45e80b29f8a18189/reports/8fccd6bd-66cb-401d-a9a4-904e07875939/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3282cf0-c48f-43f2-b136-220b4905e650

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/65aca0cc01bdf5713286f6c6159179a1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6/

Threat name:

ByteCode-MSIL.Trojan.SnakeLogger

Status:

Malicious

First seen:

2025-06-27 04:51:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sclcxihmn26ljraqbwqtfw3hxkzjzbxo2hz3hpl7edlr5oxggd3a._file

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/250627-mp4hwsdm6z/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7989208005:AAF_Q0GA79z6GYuSCl4sG25i2uv4Su1T7eM/sendMessage?chat_id=7300263540

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7e85a797-d2d6-4046-ad3a-495cea6d6eaa

Unpacked files

SH256 hash:

90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6

MD5 hash:

65aca0cc01bdf5713286f6c6159179a1

SHA1 hash:

f09a906875c0f218a67ba0a6996696ef851adc59

Link:

https://www.unpac.me/results/9415c5f5-879b-4dc4-b1d3-f849dd041864/

SH256 hash:

fd8e694ab19875cb7fd6d4230f4a9385ec7b1f83fd7c1c98bc874df20c94b0ac

MD5 hash:

f311ad1781cb9620986213d7e39b9e5b

SHA1 hash:

29e4da2327b6f9644f3b394d6933e0ee122edf4e

Link:

https://www.unpac.me/results/9415c5f5-879b-4dc4-b1d3-f849dd041864/

SH256 hash:

d2e006711357492298f35c808f1ff730f40951495fe3e931df4cc373296f4778

MD5 hash:

8da67016c04a3909cce4d4fd13d00b98

SHA1 hash:

3154fbf87e8c29eca86a07803e61ea19f6dfa32c

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9415c5f5-879b-4dc4-b1d3-f849dd041864/

SH256 hash:

a1197118cd085e336de212d6a51e513817076a3beb2dc2728733fae5253e5ae9

MD5 hash:

d54b432df9d4f8f2ab4057e9edcfe2ac

SHA1 hash:

d9dad22013d498a9b1ce8c898eeb5d2aaa3f49fe

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/9415c5f5-879b-4dc4-b1d3-f849dd041864/

Parent samples :

90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/90962ba0ec6e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11344/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample