MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160
SHA3-384 hash: 9ec31179bc7d9ad8065a225f062287bc5504709e9b1c2448c76b8ba604f081cd22db207ca63ed3f7ceab556577d27c8f
SHA1 hash: c342b4b7d6ae905dbe310322cdb76dc929258318
MD5 hash: a450dd9c5e1fe3f45312fe92bbd85f72
humanhash: lamp-sink-jig-early
File name:DQom74epIyQwVHC.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:848'384 bytes
First seen:2025-03-26 17:03:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:gEN6w3IXJhIjAtjEjBH6uF649fJpROgEUFuROXdheFT5dmkSN3cddGscLBkMtaS7:gEN6w3IXJhIjAtjEjBH6uF6+fJKyuUTN
Threatray 3'494 similar samples on MalwareBazaar
TLSH T19B05126C2B89D405DA4A1B7599B1F374037DADCDA902E32BAFD8ADEF7C76B008D14250
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 30e8d4f0d4ccccc4 (9 x SnakeKeylogger, 5 x Formbook, 2 x AgentTesla)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
468
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DQom74epIyQwVHC.exe
Verdict:
Malicious activity
Analysis date:
2025-03-26 17:04:49 UTC
Tags:
evasion snake keylogger telegram stealer smtp
Link:
https://app.any.run/tasks/d089b29b-9485-4fb9-8da9-0dde2f3af993

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e43396cb6d38a89f3e7047
Tags:
backdoor virus spam msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67e43394f274bf2d8e23af99/reports/a71fbe1e-1970-48cf-a2ee-776bb7a0451a/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.DLI trojan
Link:
https://www.hybrid-analysis.com/sample/cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aabd2501-eeb3-45a1-807e-66059f8df8a3
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649366
Signature
.NET source code contains potential unpacker
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 14:35:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmi5m5235juni6g2ie7upjuhpws45dm3a53fupbrmn4boql3kfqa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
46811ff66868e4f3febe3a5f2374997ea2b1d407f15ffc269444b6fbc431dda1
SnakeKeylogger
5ce0f0aea4c4aae607838cd574a6860e8745ed8eade9dc6156864ac5c521c944
SnakeKeylogger
804cb8891f2829caf32366e9efbbeedd19eab55288ca94702d1c29ffded6d463
SnakeKeylogger
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
SnakeKeylogger
f0e637afd17905703f31d1efa7b5c847687560311ecec72b7f84352b4e3c66fc
SnakeKeylogger
+ 3'484 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250326-vld3tsyzcy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/b1bc8800-86b2-44f7-9e37-74b9f6ec3c41
Unpacked files
SH256 hash:
cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160
MD5 hash:
a450dd9c5e1fe3f45312fe92bbd85f72
SHA1 hash:
c342b4b7d6ae905dbe310322cdb76dc929258318
Link:
https://www.unpac.me/results/96829070-f584-40c9-9fa0-1e490e2f4837/
SH256 hash:
65f0880737b9a2dbf00faa12e37e679b8a1232237df736360fcc14e19e806cca
MD5 hash:
f22fece115e9c0f99bf3bff82d4fb834
SHA1 hash:
034e911420fad38712fb1200d9ff116af39a7cd4
Link:
https://www.unpac.me/results/96829070-f584-40c9-9fa0-1e490e2f4837/
SH256 hash:
8511a26d0d847245c90f12448697495556197c38eb524dfdaf566f07de1d7a41
MD5 hash:
7f97d5c0989d6d5c1913a867e91f814e
SHA1 hash:
8377725cc9a02f19451db66bab85aa6f4b14a55a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/96829070-f584-40c9-9fa0-1e490e2f4837/
SH256 hash:
361aacdc8d872336b53c5fced938f0da8fe08b276bf37709ddaccd4ab49d0a84
MD5 hash:
d1e513108c4ecad5a855cd50b5474023
SHA1 hash:
f9b6600596ebafdc3ff52b00757666bba01110e5
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/96829070-f584-40c9-9fa0-1e490e2f4837/
Parent samples :
0cf9705ea73fa538ec6056e8a35403ad1597ac5986590002bc94064ba004f103
cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160
39ee4ac12fd23485c31498995f77b6a377366ad8258feb5368017484f8f9e671
c4c8cfcfeed3893063dc7f33aec95f64301e4a2a33ed87927ee4d0d29f3906f7
354370f8ef2b62673fa2d6e408508e83500a6cb197b8208052431884229a8cd8
d5aecca02a75a707babc65ddc28b7104f9f54ce7bdd9896663667b252b03f919
1db797ad921b6fdab80754e752cc6316d0ab737abaab678131c0cad8fd7882d5
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb11d6775bea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe cb11d6775bea68d478da413f47a6877da5ce8d9b07765a3c31637817417b5160

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments