MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
SHA3-384 hash: 0f371fc94b9daebdad813ad15476b741d94b000a737985b2b2906ce021cd324608de7d954145294d4515f60b9fb4747e
SHA1 hash: 0bb74ae97e7c14301a568bfbc0c1c6fc4af9c2f7
MD5 hash: 4a2d6f192c984afa1732cd8c2d0fd76c
humanhash: idaho-alabama-tennessee-kentucky
File name:PAYMENT INVOICE.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:594'944 bytes
First seen:2025-07-02 23:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:wH2JJW/fkR1xG3MpMFwNJ3hIVxrY2yD4iM4u/0JtTcI:yZ/sb+MkynkNY2yLJ1I
TLSH T159C4BE47264A447FD5EAFAB20402D0B5037CAD9DE501E39ECBE5BDF7FC66E122980252
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon a25337335bbb1bba (5 x SnakeKeylogger, 3 x Formbook, 2 x VIPKeylogger)
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
Verdict:
Malicious activity
Analysis date:
2025-07-02 23:03:31 UTC
Tags:
netreactor snake keylogger evasion stealer telegram ims-api generic
Link:
https://app.any.run/tasks/2ad7461b-1373-43b5-88a3-26db5b796ebf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12082/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6865bab0900df8e7f865c73b
Tags:
virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap masquerade obfuscated obfuscated packed packed packed reconnaissance roboski stego vbnet
Link:
https://www.filescan.io/uploads/6865bab1ee5b1c8f3d25538f/reports/39e147d3-77d5-4f2f-892c-80afb0c88a75/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ffdfa370-10aa-485c-8543-4c394584deef
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/4a2d6f192c984afa1732cd8c2d0fd76c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Trojan.AgentTesla
Link:
https://tip.neiki.dev/file/979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-07-02 17:16:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6pr4o4pic2tmuk3aqun7fdiarcwd4mnxm5653pmllzw66ye7tmq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250702-21re2asmv7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7632727503:AAGJWizRGKV7-g-E8Iawv9B_LEzBVM_eYpk/sendMessage?chat_id=7300263540
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/71043a93-60f1-4ecd-a44f-6d0ad30f4a90
Unpacked files
SH256 hash:
979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9
MD5 hash:
4a2d6f192c984afa1732cd8c2d0fd76c
SHA1 hash:
0bb74ae97e7c14301a568bfbc0c1c6fc4af9c2f7
Link:
https://www.unpac.me/results/307ffff2-f294-4915-a097-8dcb1803906c/
SH256 hash:
b9c9bef0464b72f540a3846497551facd39e02e6f77c7f060adfdce424738046
MD5 hash:
72681ec2f42e86a6ca20d6f0273f2f29
SHA1 hash:
0462638d5c309be42a7af4e5f535db76f3739dfa
Link:
https://www.unpac.me/results/307ffff2-f294-4915-a097-8dcb1803906c/
SH256 hash:
fbef014794637ed767e8eab58113a719d99ed257f096243d0cc5f9af00cf16a2
MD5 hash:
c0dac73be0e2eee426aebee129f8a072
SHA1 hash:
44f78159c9a97442491c503245dde782ca562d57
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/307ffff2-f294-4915-a097-8dcb1803906c/
SH256 hash:
8b5101c5d54e6046b9b1d68cf6afc38755ed554d91311d7663302ce126283c3d
MD5 hash:
3c93912202f6c333a486053b56d70dc8
SHA1 hash:
bdf5f6dfd57c74778f313554e23e3eed56fe2df8
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/307ffff2-f294-4915-a097-8dcb1803906c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 979f1e3b8f40b536515b0428df9468044561f18dbb3beeedec5af36f7b04fcd9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12082/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments