MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 19

Intelligence 19 IOCs YARA 19 File information Comments

SHA256 hash:	b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3
SHA3-384 hash:	1e48c90ec84ae7c6a2dae631278d0225cbea58315ae2c52d1e11f2845b699ea63a37b07af8765f3cd378d50d802f7f7b
SHA1 hash:	c34ece30a2bb888ef8b14988997ec057030c13a5
MD5 hash:	2736e27f8add019ea79d192b1beb4c6f
humanhash:	romeo-twelve-washington-hot
File name:	BANK CONFIRMATION RECEIPT.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	629'768 bytes
First seen:	2025-12-02 08:46:55 UTC
Last seen:	2025-12-08 14:01:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Cbam5R9xHCakKLu45tmIg2rR7viKjv5sleCnCpthYvgSkR:Ua+DCj94XFrRJv5GCDXh
Threatray	68 similar samples on MalwareBazaar
TLSH	T1F1D4F1135968CB03F52497F12E73EA355BB23F5DA522D29E4DEB9CCBB910B014C88627
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/773c6e99-b944-4123-8be3-dcb769d9cf11/

Malware family:

n/a

ID:

File name:

BANK CONFIRMATION RECEIPT.exe

Verdict:

Malicious activity

Analysis date:

2025-12-02 09:14:53 UTC

Tags:

evasion snake keylogger auto-sch-xml stealer

Link:

https://app.any.run/tasks/cd8dc139-19a5-414c-8a67-0c560b01a380

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/42119/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692ea79e16e6db515e45e573

Tags:

snake micro shell msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature packed signed vbnet

Link:

https://www.filescan.io/uploads/692ea79bb2ab504519a1c807/reports/4988cea5-eeea-403f-b7ab-3b1f5283577a/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-01T04:24:00Z UTC

Last seen:

2025-12-04T07:26:00Z UTC

Hits:

~1000

Detections:

HEUR:Trojan.MSIL.Taskun.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen Trojan-Spy.MSIL.SnakeLogger.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Convagent.gen

Link:

https://opentip.kaspersky.com/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d703e87-5675-4932-96ea-49cc1d79d310

Score:

87%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86

Link:

https://app.malva.re/file/2736e27f8add019ea79d192b1beb4c6f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

Threat name:

Win32.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-12-01 07:27:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wtqzglzduvbzbpehipp2rj7outb6irxk4dexmjoxqcmincbhjpzq._file

Verdict:

malicious

Label(s):

404keylogger

SnakeKeylogger

707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773

SnakeKeylogger

e11a0dcca950c7f8db943cd71e152257264d9cdfdb0a8ddf23b5e9ebe07daa4f

SnakeKeylogger

+ 58 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery execution keylogger persistence spyware stealer

Link:

https://tria.ge/reports/251202-kp4gsadm6z/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/55a58482-228c-4068-9763-bced65a033b5

Unpacked files

SH256 hash:

b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

MD5 hash:

2736e27f8add019ea79d192b1beb4c6f

SHA1 hash:

c34ece30a2bb888ef8b14988997ec057030c13a5

Link:

https://www.unpac.me/results/1c574bf2-e9b1-4b05-aac0-f48c1fecdb03/

SH256 hash:

1142dbe2a50090ea775391a26b558537de7a36f5ce9286b6095dd7911c31eeb3

MD5 hash:

57d82e2b6f60dedc1c7303b73c5a8cb4

SHA1 hash:

00e4da33a881e063c7899a3de9831057536d2ef2

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/1c574bf2-e9b1-4b05-aac0-f48c1fecdb03/

SH256 hash:

73e5f80bf105c6ef7b3d0796ba505fb2dc19da8188520e55beb564ce035ea599

MD5 hash:

df0b359e609f31389e62f150e4c63544

SHA1 hash:

2cd63320228ac8473757eb6b62d86a5e8d450344

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/1c574bf2-e9b1-4b05-aac0-f48c1fecdb03/

SH256 hash:

3aa8ce5d4766e6fa27c0f3e031c1425b79322fc25ced61c68998ddd0fe84afe0

MD5 hash:

62963935f4f4a7a5d71e15077781146b

SHA1 hash:

374f566ec38e44ea82e0aef8c79417067b37f003

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/1c574bf2-e9b1-4b05-aac0-f48c1fecdb03/

Parent samples :

5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
ac7a2d43da192df88b772d5f18ad2fbfff501236b4593c0e608474fedde91508
a0f0d732fb63ac2e8801fb5f3a7f969952a7fbdb8b2a782c64cb1c1c14bda72c
4528e9b7d05236ab6a225911e8978af4a7d49bc0221b5529d40ee85b60b0dae7
0be718f7b7a74c02cb6e13cf89c32e36e3385d3c8d6bf11459e8a43afafe4ab4
35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
bf68190a743215ba83339703d99ecb3507f00182ca1fc4dce9a472e4b0c5f757
5659b4ea8582b110707f84728ceeb09d22e72c0f729a02d6d73dbf268b2397bd
b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3
1f9e7ccdbb6aecb1c353461b5bc162a24c3df9acb5493d76aa0e8f1c6ec1190d
6419d74ea82b7c45bac56aba550a556791e76110e1af3c07794773daa8900032
4ffb20e1a907ba09b16385b701c037d5f8d62f3153be1ef80260e8fb7c6143a3
15890e027eddc1d4216eb97e3700de9069187fed0526047a148cd67705b1f8d6
651859b30c796cf59166ca018a2b4f18c996af4e688d302466ae56a5712b72a7
36271b3690553ed6d67f3b4f789686c6addfe0704e3852c7173aeeb62ae99402
75bb652c901a98ba61bc0baae6b7e6b1e9605ae11b8e9af441d0636751ac89a1
d54f9aa94e3319c4f55a5204e210bfd81e258ef0aa789b372e4516d3683a3e8c
1603ebc35858fe5eb23519fceb18edc6566022ec9d6393a0eb61597fb70e3df2
4b3c7e98f64622c68cd4d61b313b7a07523e1276eb0e66fd1187e8ef2ddec23d
85bfd7c03d84af32087ec4bf003fd32f970339800345620a8cce138f3847b9ed
f72965f2590970749410784883b637e42f6b05466767232fa4d0b754d4a0054d
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
a0f0473fdc61c805b124ed9b8a2e7dc17a16116118da16b7650f04936c38f184
c87794c2fbf18de86169adc7b50d5b828d8e7ec24c483bc24d429068e585762a
3a314ab3e162a1d14105a5a2f6116c461c8a69d9cf614f79521aed9effa61385
3a279099e6b83675a0f1b4ad779734a1c718d6b19a9ab225c54be70c78108ab5
b1cc11582118c8e46f487673a2d0bfc8ecd8c3703aae25195dff8120106b4277
d4f7093db94b0587b0d66fc2795be733423564739109468222cb2560546e230f
6fb8d03893d2eb011b8ec0de9b4d276528047a6c8b833cc8e7f1398ecc1695b8
70b4895b9344e87470809850e75fb9355d3d46ec799221c1232c4d6128b814f7
5b3cc96740f0b6d508064e77b919b7f26e0d4d63d1541fbae0ced67efa83a668
4de3da2145094b2d623f289bb59e0315edaa2a4820603e1b0384d96da159484c
f239532b415d0769dea6827221c226555e1c4bda21ecd050041d829021c52d52
32f152c9fe6debe129b961dcc4e158e2d0329de2793a15f26e8d4ed5bbe2ce62
d463661f048c60c88a16d49f9578d5eb57262c2c60ee06ab5b3e2d5832183542
2a985f28930a096549702d1405257ae47f8503973abaa406fde72ec086d2a546
d6f0f38727c762b36df15c44ef60ca77e766fb4f961634b21f4a2c806c481038
9d1638b1dd03a382ff17a517be8a43281799bdc7af7b485a5e3c494712663634
5a0b5dc86cd2a408434f885be7c44ae25ac4e3b7320da9737119f81183be9dba
a7db6df5960231b52632b929d91f56f275347d1af9b18326d1ebbf575eb5f2ba
dfba3d114561074b5379a1827a895a01bed990ceefc70b74e8031c791b1ec4f4
82a4425f807c071dedf43a2c116cf0d7ad4f0945adb47dc10378365cff8f9c8b
36d699808361bcf77a1147c09dc4df6319b7bbf670814ab1f882bc2668fc11c0
1a895996e3edf28787c2076049c1ec3ce137824bfbdff3dc6e5e020077762c85

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b4e1932f23a5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/42119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample