MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
SHA3-384 hash: af4643a9af4e580776baaa074a30e8683aa80550fc484eb458e2baa710b8761560ae1c095f8f706572da4a155a8a9332
SHA1 hash: 6fe3f3e1bbeb34d107031a6a3f6f469fc7f56c87
MD5 hash: d5bb0507a16ea7fdf97d46fcb8cd4a96
humanhash: indigo-golf-washington-twelve
File name:b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:713'216 bytes
First seen:2025-08-12 14:28:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:PMLIUGdp9hFhIu4RLSKNvb+IQSwN7iaM1xFVxSP+rMEReEJcTjNFwjpO0M39y:PMLHGdvh3I9JRQLC1xF/FtSF+k0M3Q
Threatray 3'255 similar samples on MalwareBazaar
TLSH T1B8E412A4754BFA11D886ABB949B0D37243B59F9FF423D313CBD9ACE3B5257023098291
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
Verdict:
Malicious activity
Analysis date:
2025-08-12 19:33:19 UTC
Tags:
netreactor snake keylogger evasion telegram stealer smtp
Link:
https://app.any.run/tasks/ebd8d3e1-48e4-4dc8-b9c5-545e10128e33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20680/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b5269c633abe3908e508d
Tags:
virus spam msil smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap crypt lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego telegram vbc vbnet
Link:
https://www.filescan.io/uploads/689b665fa67ac4b37a4e284b/reports/54037fed-722f-44ac-bd83-4893e19d07fd/overview
Verdict:
Malicious
Labled as:
PasswordStealer.Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa4a21bd-8b7c-450d-8eb7-addb47138496
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 05:29:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 36 (69.44%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdzu6hi4lpsn5ihs7b7lyjwqzprn7wqr4vjen5qunwne6rzspfba._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
45058c52a1b3c9a5755be5783f3ceadec45cf9543e8ce0e2ce353f51cfc92a5b
SnakeKeylogger
4d4f4dd3dd03d3ff63689d10675978b1e232f7d1429eca28cd3d9525824817eb
SnakeKeylogger
73ab8358ef3fd724fc5d5c31d13dfb4717ba6cc254c7da6402d3133c60ce058a
SnakeKeylogger
eb93294abe8d7afffa66b6d07a7dd990849a1a342f2c9096f54105db26592f1f
SnakeKeylogger
+ 3'245 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250812-tht47sen81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/92c3bb6b-7db1-4151-bae8-ea312e9f3ccb
Unpacked files
SH256 hash:
b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
MD5 hash:
d5bb0507a16ea7fdf97d46fcb8cd4a96
SHA1 hash:
6fe3f3e1bbeb34d107031a6a3f6f469fc7f56c87
Link:
https://www.unpac.me/results/b7d3848d-2cc4-4608-b414-348ed7c59b41/
SH256 hash:
fba4b871ff225963a879716ba6e3dbfc9379a7e0f8643335a833fc51dcb0e5d8
MD5 hash:
45b868e1ea017567bfdc6eca797c33e9
SHA1 hash:
03682aa06b912169bab587c477c290abd61aa9ee
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/b7d3848d-2cc4-4608-b414-348ed7c59b41/
Parent samples :
2278589011ac08c34a0fc7eb9a116f7b348605a9ee28a5d8e1509394f4f35089
dbc17925f6b344b2f803d81256644eb38d06d85cd87853d4b62f43d14eb3b9a0
42297810b91165ed7fb3c30d157f94fed8e1f166b94f722d39a98dba01258976
b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
df968a9eb186454eb6e37c1714135697a076742d52e319fb965ed95276a3e455
SH256 hash:
bfa8f86a917a497f68f81cb3966d4bdded4267e8e5299dfd1a384a01308e6eee
MD5 hash:
9eb5394306cb5b7ec22f720226c55753
SHA1 hash:
48a17faf1096a0b7cbdceabd0ca5e4a078a1cd8a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b7d3848d-2cc4-4608-b414-348ed7c59b41/
Parent samples :
be3b41c810133c52469f01114284c66d96cbbeafefd4d1055f3202d0564826be
a72143b5769c74747fa3e9d4e6ecca69f9df376b4d8623fbfaf6cb1629bb8bd5
b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942
9dc1d9b291b665e9d11510f60ad32a67687c70d2a9f24d1ed1c1f9d119fd1a8c
12e12201959abc0ca9eabe1cd640c759768f2a1950d411d0b131c4320e109b6b
e65aaea1c0648796975c24a88a915e9f85cff51af0398a33bebcdaddf59d0440
SH256 hash:
50ce1da98f3cfc20d4175c0dcb34c11f371d9d93cc83d1a34e7a7dd33c830873
MD5 hash:
1cd3d63e391f6ed4f87ec0608e3d0648
SHA1 hash:
b34f029d3d2f9b89a4f0962c154baef3b630abd8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b7d3848d-2cc4-4608-b414-348ed7c59b41/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8f34f1d1c5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8f34f1d1c5be4dea0f2f87ebc26d0cbe2dfda11e55246f6146d9a4f47327942

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20680/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSecurityInfo
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetSecurityInfo
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::CreateFiberEx
KERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputAttribute
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertDuplicateCertificateContext
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFreeCertificateContext
CRYPT32.dll::CertGetCertificateContextProperty
CRYPT32.dll::CertOpenStore
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegNotifyChangeKeyValue
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::FreeAddrInfoW
WS2_32.dll::GetAddrInfoW
WS2_32.dll::GetNameInfoW
WS2_32.dll::WSADuplicateSocketW
WS2_32.dll::WSAGetOverlappedResult
WS2_32.dll::WSAIoctl

Comments