MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b
SHA3-384 hash:	8cf935b75936d371f9ee9937491e3ddef5cce513b3d634a2478516afdf7b62c21c3979e37405bbf046a52032e4973a43
SHA1 hash:	c3fbdacb0fe2bd2c959817cdfcea4687c6b074b2
MD5 hash:	03d0f44070e20a3656cae797a7f06cc3
humanhash:	tango-xray-butter-xray
File name:	SecuriteInfo.com.Win32.MalwareX-gen.19676.10900
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'246'720 bytes
First seen:	2025-07-07 07:18:42 UTC
Last seen:	2025-07-07 08:16:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:8hQKJXeCtKMRzdhE/FvKBMby/7yMXK+fTpCRfMK/fqM:8XXeCttRxhENiBMulXK+fTe7HqM
TLSH	T133459B4271A5E86AC5768EF1C920CAF393716E07E619C28B0CD57ECBF4F1F0609A4A57
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	e9f0d2d2b6b2b28e (4 x SnakeKeylogger, 2 x XWorm, 2 x NanoCore)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.19676.10900.exe

Verdict:

Malicious activity

Analysis date:

2025-07-07 07:24:00 UTC

Tags:

netreactor evasion auto-sch-xml snake keylogger telegram stealer

Link:

https://app.any.run/tasks/23751758-7fe9-4db6-9c22-ac9bf83f7ecd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12610/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686b74fcc9eb974737674d4f

Tags:

snake spam

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap obfuscated obfuscated packed packed packed reconnaissance roboski stego vbnet

Link:

https://www.filescan.io/uploads/686b74fa1d10e24bd4438395/reports/328d55ed-1857-49f2-920e-44965ed7465b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/70b2a92b-4012-4755-9f09-8e6009e2b29c

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.13 Win 32 Exe x86

Link:

https://app.malva.re/file/03d0f44070e20a3656cae797a7f06cc3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b/

Threat name:

ByteCode-MSIL.Trojan.SnakeLogger

Status:

Malicious

First seen:

2025-07-07 05:14:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wh3q7feh5iwelksrx6byst7ubz5i5vjc54sxlipmczr7an2puffq._file

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence spyware stealer

Link:

https://tria.ge/reports/250707-h5n1xsztb1/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e450b7da-448d-4fdd-9c14-4a7fdb67eb6d

Unpacked files

SH256 hash:

b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b

MD5 hash:

03d0f44070e20a3656cae797a7f06cc3

SHA1 hash:

c3fbdacb0fe2bd2c959817cdfcea4687c6b074b2

Link:

https://www.unpac.me/results/077f8626-f9da-431c-85d9-6b83a39dbdd8/

SH256 hash:

b97ff4c2584a7e8e301cec81382e63d113d25403ccdf4ab1f93a315ab2893303

MD5 hash:

60771de67ea97a33af016c352b36298d

SHA1 hash:

47a01e68e58aafe5500b79c44b8f5559f43a374b

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/077f8626-f9da-431c-85d9-6b83a39dbdd8/

SH256 hash:

390f5973f61914d68ca34c4794a90e7c3b91811cffb33fb03cc9f56190bb1145

MD5 hash:

ee6de6cac700d4a83efcb5ba052c93c4

SHA1 hash:

6d4ac55be01ed0ff8d2a6a23db9ee3cd70a50c25

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/077f8626-f9da-431c-85d9-6b83a39dbdd8/

SH256 hash:

6b3803d57b5033582d424c2c48ca7c535c2c927a12d56269a413cb61c9c569c0

MD5 hash:

8b2d87ec0d6097cf4cbd324745a2befb

SHA1 hash:

7968b1b4a8053b011dff164c9b6d5862f419f7a2

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/077f8626-f9da-431c-85d9-6b83a39dbdd8/

Parent samples :

e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e
27a52e38bbd0eef6a1eafece6090fd12543b92fdb1f909e10b6c1ac2f1981449
b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b
0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
09dcb03bd67ebe186aa8874c549c4e9c62f10fd0ae483b5bf6dc89e2003ebb71

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12610/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample