MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 17 File information Comments

SHA256 hash:	ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1
SHA3-384 hash:	51e247cbdf733e35a780ce0b400095fec724e1fe32d48c00da8fb5742c06d1939843dc39e64dff9bb3ac25a17d3d28d0
SHA1 hash:	5e3ef5e8460f21764472a70eb9e244ee6421cd5a
MD5 hash:	06c1040968b2adbdf497ff412a7aa510
humanhash:	double-montana-alpha-georgia
File name:	ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'047'552 bytes
First seen:	2025-07-07 14:22:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:9s9IxVb6geC1dMjflF8KCLfPVYSu1Foc1G:pxl6geEdMTIVYSujs
Threatray	1'985 similar samples on MalwareBazaar
TLSH	T101256B9D3650B1DFC85BC572CAA89C74EB607C7A531BC203A09719AEB90DA97DF140F2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	40b974c4d4602858 (8 x Formbook, 6 x AgentTesla, 6 x a310Logger)
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12856/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686bd836900df8e7f8684166

Tags:

agenttesla spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Setting a global event handler for the keyboard

Adding an exclusion to Microsoft Defender

Forced shutdown of a browser

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab842a5f-7fa7-4051-8a37-5974a81579f0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.14 Win 32 Exe x86

Link:

https://app.malva.re/file/06c1040968b2adbdf497ff412a7aa510

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-06-19 07:08:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmju7xpzqokpctpfrtw44crkwvb4vt66fqvffsaibzg3zdifrwqq._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

SnakeKeylogger

c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400

SnakeKeylogger

d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d

SnakeKeylogger

e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11

SnakeKeylogger

f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0

SnakeKeylogger

+ 1'975 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/250707-rpstlsv1dt/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cdd8587a-654f-436b-864a-d4b614721465

Unpacked files

SH256 hash:

ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1

MD5 hash:

06c1040968b2adbdf497ff412a7aa510

SHA1 hash:

5e3ef5e8460f21764472a70eb9e244ee6421cd5a

Link:

https://www.unpac.me/results/e3035485-96d2-4f34-ba6f-f9a5c5de1d5a/

SH256 hash:

b7f2d2573840e04a3913d6c851690324474c25d684b9659dd2e9a61453c7df92

MD5 hash:

cccfc6cb092e4d74ac3d73ddcb64b493

SHA1 hash:

263d750ffd94a3a6ad61d252ad586398b3296c3a

Link:

https://www.unpac.me/results/e3035485-96d2-4f34-ba6f-f9a5c5de1d5a/

SH256 hash:

f1560e8084b5843cb70cbf21220ffb7c738d8f31c036b7be0895d565500b5319

MD5 hash:

ff15200561557bbff87050e98e7461ae

SHA1 hash:

c53cfc89cb0456688a984cd33e7ecea68ff27451

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/e3035485-96d2-4f34-ba6f-f9a5c5de1d5a/

Parent samples :

50ec898674f779ff3115b5d856c579eb89aa9702db8355a6a8f34616223a889c
07b152394aab317e08fc56aa9fd33236cc8ea7a71d58ab9d7660ac70ccb495ec
1826e61ce9790350a2e81f89d3dedb33b72b0a91d19907b371ea8c2a7219efe8
ea45642110816d0fb61fedc38fe846875e3d04e62ec9d88ec6854eb2b610ca69
446ac5b2673ba02db508a71c3c821a4f5b2f6d9b0f8e4af62a7b747dceae33a9
ab134fddf98394f14de58cedce0a2ab543cacfde2c2a52c8080e4dbc8d058da1

SH256 hash:

c40cfac430feffe85a0a336b0c39b547cf1b1dfa95af0abfa95fde52e8be00f5

MD5 hash:

9e420ed2fc3e7900d255dfa6739206c2

SHA1 hash:

e23a0c870eae5610f8f1bb48efe31e69976aa4b0

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/e3035485-96d2-4f34-ba6f-f9a5c5de1d5a/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	growtopia Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked growtopia stealer malware samples.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12856/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample