MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 19

Intelligence 19 IOCs YARA 16 File information Comments

SHA256 hash:	91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
SHA3-384 hash:	3bace416c506e2cb937a1a2113381e957b2476b8926eed9312c6125250f34ed4555fbde121fd759a52aa0ba735403f7d
SHA1 hash:	074d8b92b653bb80fdb20c0015c2c82d71d40034
MD5 hash:	505b68000041599dacb460ba5f1d5c79
humanhash:	coffee-black-network-washington
File name:	91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	749'568 bytes
First seen:	2025-10-14 11:04:41 UTC
Last seen:	2025-11-06 10:27:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:doIR3P+COqAejcPSc68pBq/4lUPFhnCC1gO7xKqX:dojC2eoBDqPF9z1t1
Threatray	3'815 similar samples on MalwareBazaar
TLSH	T1E1F4BEB1F2B58459D49867B14826D83411E72DBCECA1D70AC5DA7CAB79B3FC3089290F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe SnakeKeylogger webmail-ki-lojaobrinquedos-com-br

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

Verdict:

Malicious activity

Analysis date:

2025-10-14 11:05:46 UTC

Tags:

evasion snake keylogger stealer

Link:

https://app.any.run/tasks/54f64d70-8dbe-4330-97c4-469e64dcfdb8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/32664/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee2e8b04e22ce9acd9ec2e

Tags:

backdoor micro hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68ee2ec69da6b44f3c8b93e8/reports/9c1d27cb-5552-4285-9433-37117f5fa0f1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-13T03:54:00Z UTC

Last seen:

2025-10-16T08:20:00Z UTC

Hits:

~1000

Detections:

Trojan.Crypt.TCP.ServerRequest Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Taskun.gen Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd4f862c-04d0-4903-901b-62bc0da66aae

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

Verdict:

inconclusive

YARA:

7 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.25 Win 32 Exe x86

Link:

https://app.malva.re/file/505b68000041599dacb460ba5f1d5c79

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-10-13 09:52:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sg7acwa5gajw7qovjetpw37oc67lcckz3lsp6b6jqcgaergm4joa._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d

SnakeKeylogger

67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0

SnakeKeylogger

9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589

SnakeKeylogger

cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6

SnakeKeylogger

+ 3'805 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251014-m7acrsfy5h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Suspicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/6f8fbd8d-41bf-4f48-b16d-3e85d3283782

Unpacked files

SH256 hash:

91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

MD5 hash:

505b68000041599dacb460ba5f1d5c79

SHA1 hash:

074d8b92b653bb80fdb20c0015c2c82d71d40034

Link:

https://www.unpac.me/results/3f347322-20ff-404c-b3f1-0f6b7c9bf519/

SH256 hash:

b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511

MD5 hash:

2a576318d07470206dd7c45f7d896078

SHA1 hash:

3096b2a5ccd98583949a9f57842d5547b50bbc29

Link:

https://www.unpac.me/results/3f347322-20ff-404c-b3f1-0f6b7c9bf519/

SH256 hash:

bcbdc3b3dd9e5e662c78114ea0f9f598fed39e5d473e2dda84549df3345e623b

MD5 hash:

414469d0c1c6bfebdbd996bebbdcacca

SHA1 hash:

499d03c0f33af1a11ce2d4954c19c7ee162abd22

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/3f347322-20ff-404c-b3f1-0f6b7c9bf519/

SH256 hash:

f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe

MD5 hash:

48e1fdaf7662517c4e0f968966d4d7b0

SHA1 hash:

6320e1973e714027f3d4280c125ff36f51848f81

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/3f347322-20ff-404c-b3f1-0f6b7c9bf519/

Parent samples :

2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/91be01581d30/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32664/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample