MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c
SHA3-384 hash:	4a91575ac53506361621d180899abab33f63dd180c843f7970bf91be758d60546f992395f35dc56773a4955415b5b9bf
SHA1 hash:	a06184b7a7af3a34481628c7031d10b201286993
MD5 hash:	1b3d5513780913e9b19990a500895279
humanhash:	green-saturn-cold-illinois
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.12575.3796
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	562'688 bytes
First seen:	2025-05-29 03:30:45 UTC
Last seen:	2025-05-29 07:12:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:AgDB6yeHRp94zz1VOYyKsLQKHOTft0Frv2Z0MxUIoy03/NRD:AWed4KYyKsL1QtSMRoy03
TLSH	T1ECC4025E2666CA17C8965FF40672E2F463B8AECEE522D74A8FC85CDF7A1B7100744312
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	8271f0d4d4e87192 (10 x Formbook, 9 x SnakeKeylogger, 9 x MassLogger)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

543

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.12575.3796

Verdict:

Malicious activity

Analysis date:

2025-05-29 03:31:59 UTC

Tags:

netreactor snake keylogger evasion stealer ims-api generic

Link:

https://app.any.run/tasks/e6c277f3-aa9b-482b-b8be-38a644621f8d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/6135/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.12575.3796.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6837d6f4acf88f5815e8439c

Tags:

backdoor micro hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/6837d50bfd02ed5e058daabf/reports/3416f150-1240-4a81-97f5-579fa9b0a06a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e3a56323-b122-498b-82ff-0ffe782b9252

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1701221

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses threadpools to delay analysis

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-05-29 02:25:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tcnsk2gnq4afegbl2y32tjnbx5uemhrpuwlwgz4prd3djp6r2uoa._file

Verdict:

malicious

Label(s):

404keylogger

unc_loader_037

Similar samples:

error

SnakeKeylogger

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/250529-d26pcabq5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/01134c36-af4c-4aa1-89d5-5817d7dce326

Unpacked files

SH256 hash:

989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c

MD5 hash:

1b3d5513780913e9b19990a500895279

SHA1 hash:

a06184b7a7af3a34481628c7031d10b201286993

Link:

https://www.unpac.me/results/18688dbb-7d5b-4fa8-956f-95561a54e1c8/

SH256 hash:

ff55838cf83322ceab30a512da916f2821181007e95c8fa68674825df8c819b4

MD5 hash:

c9d09ec2449e60042cfc5222e0905ac9

SHA1 hash:

00f21d00230d6595f91ea5c990910f86bbfa44b1

Link:

https://www.unpac.me/results/18688dbb-7d5b-4fa8-956f-95561a54e1c8/

SH256 hash:

7efe08e77453b51022ca5c2d34874e9d5b1217f2e00f47fecaf59197524cc27f

MD5 hash:

b2a0668e0c778158bc9552c6990b33b1

SHA1 hash:

868967284a7e5dc625b9e1db00cf6b1211a46e96

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/18688dbb-7d5b-4fa8-956f-95561a54e1c8/

SH256 hash:

bcf00d46454557fd5e6b715f17b24813cff491c3452db8c6bdb2487f5d39545c

MD5 hash:

cd50813f51a5e3ff6ddd8d5a72bd8a7e

SHA1 hash:

f715f2f6e31db1c3d8941eb430d329bdc478382d

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/18688dbb-7d5b-4fa8-956f-95561a54e1c8/

Parent samples :

989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c
80cc16a45aa7542d744024f41d1edbf957980d3e08c57fd420472fe2cb670ad3
78ab57a8a77b6d2146e59bf1eac96c4f4a3dc6d6da6e0b06075b15be00c6cfb4

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/989b2568cd87/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6135/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample