MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5
SHA3-384 hash: d4564fc937c3a14a8e8a87330aaedd66d5584efbb24c45ba8d1151282c8c7f190cac49c3cf9ce8eca3e39d6964ff3968
SHA1 hash: 5e53a5a2240e3b8b4e8a607fabdda56ed520a270
MD5 hash: 53bb9a77fe019d5e56a63eba4da6e994
humanhash: chicken-alaska-berlin-mars
File name:Details invoice.pdf.tar
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'102'848 bytes
First seen:2025-08-02 13:33:30 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 24576:XJd531iOEvR/1LZyKB7JhyMpi0w77534VVV2:XJd6OMR/1LZxBDy10w7r
TLSH T1EF3528E291A508A5D4B35DB08822E8372256AC9AD83345589ED7FF5BF4F3ED30C23947
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika tar
Reporter cocaman
Tags:INVOICE SnakeKeylogger tar

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Details invoice.pdf.exe
File size:1'101'312 bytes
SHA256 hash: 7bcdf47674beb6189482adb5c50392dcf8f0ae4494f2f9a3ed81c016d22a698f
MD5 hash: c248017efe313c046648333544f85a11
MIME type:application/x-dosexec
Signature SnakeKeylogger
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Tar_fs3230.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e13e20b4775fb21352608
Tags:
underscore micro spawn shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed powershell reconnaissance regsvcs rezer0 roboski schtasks stego telegram vbc
Link:
https://www.filescan.io/uploads/688e13e273b8ef6f4afb3dca/reports/1062d676-7dff-4432-a254-59b233163916/overview
Verdict:
Suspicious
Labled as:
Mal/DrodTar
Link:
https://www.hybrid-analysis.com/sample/c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.23 Tar Archive
Link:
https://app.malva.re/file/53bb9a77fe019d5e56a63eba4da6e994
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-07-30 06:57:55 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbvz32dswdw56umimsmnbzha6l2xzilplmma6h6goyesgfiv3pcq._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/250802-tfza5svj17/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_404keylogger_g1
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

tar c86b9de872b0eddf51886498d0e4e0f2f57ca16f5b180f1fc67609231515dbc5

(this sample)

SnakeKeylogger

Executable exe 7bcdf47674beb6189482adb5c50392dcf8f0ae4494f2f9a3ed81c016d22a698f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7bcdf47674beb6189482adb5c50392dcf8f0ae4494f2f9a3ed81c016d22a698f
  
Dropping
SnakeKeylogger
  
Dropping
MD5 c248017efe313c046648333544f85a11

Comments