MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941
SHA3-384 hash: 6582a10796fc80bea2f6ba9da4cb8f7fe4ee20df1a9c9902d3f7973942447122a66659cc7ce3d1331a957aa8b1d8be1c
SHA1 hash: 566eaa6d759f8c796b05f8f00d50634bc567b8dd
MD5 hash: bec246dc21389e6c7ec35475c4bbd364
humanhash: oklahoma-five-bulldog-green
File name:FİYAT TALEP (2).exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:738'816 bytes
First seen:2025-05-22 06:22:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Rltf7VyGAxJ6hFcco4cTpA+bGqg2E044O9bdLN0G9rDCqn8qYENHqi+vaV9jo:RlFP+4ibrAZAO9Awra4KihV90
Threatray 1'582 similar samples on MalwareBazaar
TLSH T1B1F412141A18DC12C1A60BB509B2D3F92B79ADCEEC11C743DFEA3EEB7C796196840395
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe geo SnakeKeylogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FÄ°YAT TALEP (2).exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 07:39:03 UTC
Tags:
snake keylogger evasion telegram netreactor stealer smtp ims-api generic
Link:
https://app.any.run/tasks/24eb0fc1-07c4-48bd-aa06-90120314bf7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Packed2.49281.19766.1140.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ec668c28c67d666445337
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/682ec2f1fd02ed5e0581d33b/reports/15906e37-a004-4883-9b1d-b1726df5faa4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7edeb749-4c25-4d18-b2bc-7b7e184db437
Result
Threat name:
PureLog Stealer, Snake Keylogger, VIP Ke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696599
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696599 Sample: F#U0130YAT TALEP (2).exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 54 reallyfreegeoip.org 2->54 56 api.telegram.org 2->56 58 3 other IPs or domains 2->58 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 70 15 other signatures 2->70 8 F#U0130YAT TALEP (2).exe 7 2->8         started        12 gKntwi.exe 5 2->12         started        signatures3 66 Tries to detect the country of the analysis system (by using the IP) 54->66 68 Uses the Telegram API (likely for C&C communication) 56->68 process4 file5 38 C:\Users\user\AppData\Roaming\gKntwi.exe, PE32 8->38 dropped 40 C:\Users\user\...\gKntwi.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpB625.tmp, XML 8->42 dropped 44 C:\Users\...\F#U0130YAT TALEP (2).exe.log, ASCII 8->44 dropped 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 powershell.exe 23 8->14         started        17 F#U0130YAT TALEP (2).exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 76 Antivirus detection for dropped file 12->76 78 Multi AV Scanner detection for dropped file 12->78 22 gKntwi.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 80 Loading BitLocker PowerShell Module 14->80 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 api.telegram.org 149.154.167.220, 443, 49721, 49722 TELEGRAMRU United Kingdom 17->46 48 mail.uckardesler.com.tr 31.210.74.53, 49723, 49724, 587 RADORETR Turkey 17->48 52 2 other IPs or domains 17->52 32 conhost.exe 20->32         started        50 reallyfreegeoip.org 104.21.48.1, 443, 49696, 49697 CLOUDFLARENETUS United States 22->50 82 Tries to steal Mail credentials (via file / registry access) 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvip3tqwmxwmft7mubejii6a7nr62cl2tf6ztgyil62grnlqlfaq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
2c0b6ae87cb80705150f9b3bf019a9033d5e841b8256397e8af4c162d0fae5a4
SnakeKeylogger
3c831d32919d82c5b30e3bbe158dff4d2090803e5553248eabdedd95dd085736
SnakeKeylogger
407d971ab2a45c6b84aea4658827fdf816e4bcc94d97319d813b1a96ad8c3b1e
SnakeKeylogger
d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d
SnakeKeylogger
+ 1'572 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250522-g5s47syqt9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941
MD5 hash:
bec246dc21389e6c7ec35475c4bbd364
SHA1 hash:
566eaa6d759f8c796b05f8f00d50634bc567b8dd
Link:
https://www.unpac.me/results/ac8322c3-93e1-47ef-a25e-63844e8b7174/
SH256 hash:
0656f59c9e7cfa07d64cf4cd7d85ebd9b4399893cc853f3d1d37cca622d1f815
MD5 hash:
e4a8fe009b340647108a98105600f476
SHA1 hash:
03193855202feecd4bc542876855e706a243f13b
Link:
https://www.unpac.me/results/ac8322c3-93e1-47ef-a25e-63844e8b7174/
SH256 hash:
f4cb4440a37b46c1932d19fbd2b5b7a4c4720ce54bfd5104cb1d4cd78c446fed
MD5 hash:
f2681514253b51ba448e9f1ac714dcd6
SHA1 hash:
9db81965da0b0c1fb7e1eda3ee3bd6f392150337
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/ac8322c3-93e1-47ef-a25e-63844e8b7174/
Parent samples :
1db56e465ed96854a3aacfda167655ad55dd417a59ab0c9e9cb9cf003b17787c
23d10ea1343d12cf733b2c8abdd3a177e11e7568772ac9a738e1d88d6c9fd3e5
320301198d17acec0c1a5f0c7026d5399658a9b1dfa0678990fb0a2c68ac0ce2
5b8bb3f066cac540f3846ae6a97cefa64b2dfa74e6696d15b64eef1f44bed938
17445fc3b78c7a08d5c4bc4164d04f99a4906ca50fc7552c1420c9efbebfe215
c36369fab2df20ecfe48904d1e740c361fbf72f7f06221cefcbb1586d696506a
95b82aa50dc25b6d67b4c4368411e8f82bdf1352b830e57e5899ab1cd427a1d2
9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941
d505aeb609922a84eee0643174d65e2bd43b1d11d70cca975f401f7900d5c267
641179e9ca32c9622badbffdc6659a9559074addece0ec1fc5e1b0a296aa1a27
SH256 hash:
d7a89fe351332fb47a360b0d431d6975ee8f493acb281004388f36eb5202cb16
MD5 hash:
5d9488abf2d758590f8fa0df37129fdb
SHA1 hash:
cdc2191eb85af598031270642aa2727fca41356e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ac8322c3-93e1-47ef-a25e-63844e8b7174/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d50fdce1665/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d50fdce1665ecc2cfeca0489423c0fb63ed097a997d999b085fb468b5705941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Telegram_C2_Communication
Create hunting rule
Author:whyyouwannasee
Description:Detects Telegram-based malware communicating with api.telegram.org
Reference:https://core.telegram.org/bots/api
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments