MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3
SHA3-384 hash: aa9c38a6ad8e4d9ade3edc12d27adc902f9df713f5ec1d57e14050623aa05f7e28020e4dd71a4feef592f1f13e48106c
SHA1 hash: 408ad0307a9f65d97ec37181fb61bf10bfb77d72
MD5 hash: d3f77726e48830dabe70ce7f951b4388
humanhash: pizza-eighteen-jig-july
File name:price quotation new order CT-2501.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:558'080 bytes
First seen:2025-02-28 09:59:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:nquErHF6xC9D6DmR1J98w4oknqOOCyQfZtbhx2QcPJCd1YG2:erl6kD68JmlotQfZ5HfYF
Threatray 89 similar samples on MalwareBazaar
TLSH T10FC422859AE1D867DAA85339453E8D548AB97432DE8C772EC728F04FFC11303D85A72E
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
price quotation new order CT-2501.exe
Verdict:
Malicious activity
Analysis date:
2025-02-28 10:01:38 UTC
Tags:
snake keylogger telegram evasion stealer
Link:
https://app.any.run/tasks/22896773-349d-4dd1-9e49-e228ecb67ba3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.Obfus-140.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c18a094e50050b2e6efbc1
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8fdcfef-c15a-4d02-9401-4abc491f5715
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1626407
Signature
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1626407 Sample: price quotation  new order ... Startdate: 28/02/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 5 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 10 other signatures 2->52 8 price quotation  new order CT-2501.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...\robustuous.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 robustuous.exe 2 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 robustuous.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\robustuous.vbs, data 14->28 dropped 62 Multi AV Scanner detection for dropped file 14->62 64 Binary is likely a compiled AutoIt script file 14->64 66 Drops VBS files to the startup folder 14->66 68 Switches to a custom stack to bypass stack traces 14->68 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49764, 49769 TELEGRAMRU United Kingdom 20->36 38 us2.smtp.mailhostbox.com 208.91.199.223, 49771, 49774, 587 PUBLIC-DOMAIN-REGISTRYUS United States 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-02-28 09:52:27 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3c6azlx5khpqla7ec7oob5f2hzrfxfx6auitchu6lsx24a3hbhbq._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
1f70b8eafe372bef9cf9923565ab2763565b63e74a1759bcefad45d3bb9c6d18
SnakeKeylogger
32fb940e69969680fdd9e128e04048eb2b1d3af26c2b0e4356608778c3d805be
SnakeKeylogger
44f74202592b4d3c479190a42208c238ec31b259a8341e642c5e401fef4c0db2
SnakeKeylogger
48abc789fffea9d92781ed4434aa67d136cdef20a346724ccc40ec531829aa88
SnakeKeylogger
58e26b83984e7c8783d568a918c5aa3c9f4e7d42210f1731e7dface4a8694498
SnakeKeylogger
c3b99daf51d5d521800c4dcc07022b77c04f8d27d86b6f6ddf5285f3d53a4902
SnakeKeylogger
d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3
SnakeKeylogger
dc2d55de6e5316aeb72b22bf425e9eab82adbb48247f8f8bb8e8e4644ec191b0
SnakeKeylogger
df607dfa701d132a8679f0855bfdca430246d46285e36f46a965bb8a67f4d7b6
SnakeKeylogger
error
SnakeKeylogger
+ 79 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger stealer upx
Link:
https://tria.ge/reports/250228-l1wrraxyhy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
trojan 404keylogger
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/5d275a74-7619-42df-80fb-b937c0087f9d
Unpacked files
SH256 hash:
d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3
MD5 hash:
d3f77726e48830dabe70ce7f951b4388
SHA1 hash:
408ad0307a9f65d97ec37181fb61bf10bfb77d72
Link:
https://www.unpac.me/results/c4d12dc9-b090-4008-a022-f7b3095ae5b5/
SH256 hash:
9f56c9fb67f8bf8ba8b213207adb6e92312b7e99a77fff40f8c21f932d65f9fd
MD5 hash:
0a5623ea19c151cbced0241b67d5eaf7
SHA1 hash:
38445fb240964ae40a4d2fb7cf23084fc9688f8e
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/c4d12dc9-b090-4008-a022-f7b3095ae5b5/
SH256 hash:
09a8ab2a6dcc21c1e8ef5937078f7e9d2818b2c5035fbb0763c5d5326ede0ccc
MD5 hash:
b01f8bc7baa703fb0f728583d98370c4
SHA1 hash:
4f985bd58829d02cb42fb19750f952ffd6d37af3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/c4d12dc9-b090-4008-a022-f7b3095ae5b5/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8bc0caefd51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d8bc0caefd51df0583e417dce0f4ba3e625b96fe0511311e9e5cafae036709c3

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments