MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
SHA3-384 hash: 94176772c1e96fd58e7b533743fb257b5c112527783e37b4db2c81888df14345b0cb9ca3bd512bd27466742ba625057e
SHA1 hash: b56fc04f04241ac660d1bc3e66f0faa77e25da70
MD5 hash: d0d46e18d681576a337e8256216f20b2
humanhash: colorado-jupiter-diet-mexico
File name:Ord. No.85655 del 05082025 SOC.20-16 74713.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:979'456 bytes
First seen:2025-08-06 10:56:20 UTC
Last seen:2025-08-07 12:16:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:FUdrbTmtRO017uOZuBG2XEx41K4rqWJFNikzs81Gpmm:GVKtlow2W41frqWTIYsAGp
Threatray 991 similar samples on MalwareBazaar
TLSH T1532512683669C627D1A95B765C30D3741378AD4DBD66D30EBFC0BFAF7636690A800322
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 7cd8f8f870f4f8e0 (1 x SnakeKeylogger)
Reporter lowmal3
Tags:ayintappalet-com exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ord. No.85655 del 05082025 SOC.20-16 74713.gz
Verdict:
Suspicious activity
Analysis date:
2025-08-05 14:03:38 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/227db0d9-b4e3-429c-8231-a05a78aefd59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19192/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689334ef1e8a59ee04e65f4b
Tags:
backdoor spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin obfuscated packed packed packer_detected squirrel vbnet
Link:
https://www.filescan.io/uploads/689334f42fbe0788fb1aa74d/reports/f333db42-87cd-49da-99b4-eb7c31c456d3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d68113a-0b74-4da5-8cad-9a754dbfcc97
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751259
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751259 Sample: Ord. No.85655 del 05082025 ... Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 api.telegram.org 2->51 53 2 other IPs or domains 2->53 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 79 12 other signatures 2->79 8 Ord. No.85655 del 05082025 SOC.20-16 74713.bat.exe 7 2->8         started        12 QyfuzDu.exe 5 2->12         started        14 svchost.exe 2->14         started        signatures3 75 Tries to detect the country of the analysis system (by using the IP) 49->75 77 Uses the Telegram API (likely for C&C communication) 51->77 process4 dnsIp5 41 C:\Users\user\AppData\Roaming\QyfuzDu.exe, PE32 8->41 dropped 43 C:\Users\user\...\QyfuzDu.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp18C.tmp, XML 8->45 dropped 47 Ord. No.85655 del ...6 74713.bat.exe.log, ASCII 8->47 dropped 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 85 Adds a directory exclusion to Windows Defender 8->85 17 powershell.exe 23 8->17         started        20 vbc.exe 15 2 8->20         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        87 Multi AV Scanner detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 27 vbc.exe 12->27         started        29 schtasks.exe 12->29         started        61 127.0.0.1 unknown unknown 14->61 file6 signatures7 process8 dnsIp9 63 Loading BitLocker PowerShell Module 17->63 31 conhost.exe 17->31         started        33 WmiPrvSE.exe 17->33         started        55 checkip.dyndns.com 132.226.247.73, 49683, 49685, 49687 UTMEMUS United States 20->55 57 api.telegram.org 149.154.167.220, 443, 49708, 49720 TELEGRAMRU United Kingdom 20->57 59 reallyfreegeoip.org 104.21.48.1, 443, 49684, 49686 CLOUDFLARENETUS United States 20->59 35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        65 Tries to steal Mail credentials (via file / registry access) 27->65 67 Tries to harvest and steal browser information (history, passwords, etc) 27->67 39 conhost.exe 29->39         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/d0d46e18d681576a337e8256216f20b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 08:11:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpypifhl5nk4j3sgjptvropsphhl6b3z74tjw7wp45bgo6l72jiq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
026722d98d68645cbffa896e2c7d0d59a90d079688834422f5c97f379d4ab720
SnakeKeylogger
42f45b8d26258e4b40387bda1c948fc89e3754d735ed0b69a5baaf02678ab496
SnakeKeylogger
59ca67046d065f0fd86ed3ccc7b41aa3168e5557523644fcba23d1ac65ce69d8
SnakeKeylogger
9525ab40a71a0892815a416b4a10faea2594349b0f61c3ac16d53c17883d75a4
SnakeKeylogger
d10865bd6526c7578c27e6c1d76fd3c6feb3b11fff8e0d0a3b41090a525b8bc1
SnakeKeylogger
error
SnakeKeylogger
+ 981 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/250806-m1yrsavxhw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/56ba7413-3ab2-4093-8ba3-e63d89beadf6
Unpacked files
SH256 hash:
abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
MD5 hash:
d0d46e18d681576a337e8256216f20b2
SHA1 hash:
b56fc04f04241ac660d1bc3e66f0faa77e25da70
Link:
https://www.unpac.me/results/42dfbbea-0812-4344-adaf-6b28c142ef75/
SH256 hash:
6231ca045bdb78f90fa4e09e65da692ac4500afff87a00e5772f2a1f3f6b0df5
MD5 hash:
29f1ab351d39eab7ed8eaa2aabc35327
SHA1 hash:
22d8514fc711323c0426c3f5b35c9b37d884c9f3
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/42dfbbea-0812-4344-adaf-6b28c142ef75/
Parent samples :
95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
0f35ba4092a1137650826b2cd0eff36eeb58a51c09fb1210199948a2b03a48f3
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
908ea4e10ff30ea0fb4dd724fdb19e1f9c491b443c90cf0957ed6216ff5d800e
6fd471d3b5a60eb2827287c5b805a12d8e4147c5c2ce85585b3e2748a10e6226
9975b81e9f8b7bf220475765a809c03d9462b60f27a06de2b5d867152aca5dad
abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
8d472caf596f0d5c7a9d1fc2bfc371f55eca7016ffe249409da702227f60a0a2
7e41a89cc3189d021b07d2c2cdcfbf151f498447e73b3539be37bbfa24586fbe
858a1f71c14ad346a95146debe2df736b00654d971bb884e6932db16404ab973
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa
SH256 hash:
3eb15e8126666e80f63847ea485b4784d7524993bcab820e690e2043d0ddc712
MD5 hash:
557970205e312eb1b49865875a613aa2
SHA1 hash:
c62742cc552340345fb7f8bb547eb120af8a4aa8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/42dfbbea-0812-4344-adaf-6b28c142ef75/
SH256 hash:
18c8ed61f3ea809d30f836bad583aafc213e254ab9c29c5926f3a7cb27fe6862
MD5 hash:
e56581cacaf0688a379e06eccb379e90
SHA1 hash:
ca8bbabf5323928fac9543dd5c28c8e57012ef23
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/42dfbbea-0812-4344-adaf-6b28c142ef75/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abf0f414ebeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19192/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments