MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1
SHA3-384 hash:	2ec26d3e1cb0c5e5fd37a496949ec4ea0295f686b5d6c81c24b6bf29af7b8ce8555b87b89fe13798d394f8532e2cbd8f
SHA1 hash:	26b1b88716a627b89e825367602606a00a4960dc
MD5 hash:	69535b9884681d64fcfb422f62ce4b16
humanhash:	michigan-burger-music-tennis
File name:	d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	633'856 bytes
First seen:	2025-11-06 11:43:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:+t3DD8e/OBjPNEDDEe1OIunBsd6Wpy1SAovVTLCfsYz5EO8VJIHIu7W5hhf2k4hy:EDI4DEe1OIunBXWOoVCsloHXohhff8F
Threatray	1'124 similar samples on MalwareBazaar
TLSH	T1BCD40119365DDC03C8625AF04512E67823B49E9CA161D3CB8FCB3DDBF6ABB441E12683
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 12:14:20 UTC

Tags:

snake keylogger evasion auto-sch-xml stealer

Link:

https://app.any.run/tasks/2c3ec355-a951-42dd-9836-33ac88fb85a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/36313/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c8a46ea0f3e915c2394bb

Tags:

micro spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

DNS request

Creating a window

Creating a process with a hidden window

Launching a process

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-30T03:45:00Z UTC

Last seen:

2025-11-08T07:25:00Z UTC

Hits:

~1000

Detections:

Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Agent.gen Trojan-Spy.Agent.SMTP.C&C Trojan.Crypt.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Injector.gen

Link:

https://opentip.kaspersky.com/d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.54 Win 32 Exe x86

Link:

https://app.malva.re/file/69535b9884681d64fcfb422f62ce4b16

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2025-10-30 06:42:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3c7mzhtof53yw6ps7pd55hl2sivovnuwxivhth547hwrez5bohiq._file

Verdict:

malicious

Label(s):

unc_loader_037

unc_loader_078

404keylogger

SnakeKeylogger

516caa5876ff1a9e76d69c69967090ff8556283402109bc76e5e5d896bbc5a0b

SnakeKeylogger

6aeae35043c9ba97b7ef2fefb3a49943431eac600666e20614f09e5783328a50

SnakeKeylogger

d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

SnakeKeylogger

error

SnakeKeylogger

+ 1'114 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery execution keylogger persistence stealer

Link:

https://tria.ge/reports/251106-nvrlys1kax/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bef4c897-128a-43de-b51c-66f3f95e9b96

Unpacked files

SH256 hash:

d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

MD5 hash:

69535b9884681d64fcfb422f62ce4b16

SHA1 hash:

26b1b88716a627b89e825367602606a00a4960dc

Link:

https://www.unpac.me/results/936c9216-c3f1-453d-971f-ce3538cdc220/

SH256 hash:

52709b37784dadf95753ca5b98b62c10d255841a0fbc362387e481d68bb988d2

MD5 hash:

e4056bf5bdc0aeda20c08e7234345f4e

SHA1 hash:

03628104dca8f929caf06e12e4ebdba3aedc1b8f

Link:

https://www.unpac.me/results/936c9216-c3f1-453d-971f-ce3538cdc220/

SH256 hash:

4c25702de70c97da1e5c33324815b92993f29f03e89deb2fe56f60d89afa651f

MD5 hash:

fe4fc2fb0bb6a3922dde096863a48bee

SHA1 hash:

533d83dbab143d97f0ba124072930ecf80c84394

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/936c9216-c3f1-453d-971f-ce3538cdc220/

SH256 hash:

ab074c17469c78b73adabc252b28e58f94d33b35cea7d3c4cba735a4d625a457

MD5 hash:

8eaa8a9fee469ebc5b4552a148d67d19

SHA1 hash:

c20c781989f22a2e2c1f73c3e6e1b37d8190af00

Detections:

win_404keylogger_g1

win_masslogger_w0

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/936c9216-c3f1-453d-971f-ce3538cdc220/

Parent samples :

ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8
b50a00929e501313e1973833528b15251bdc410bf43f0328617af7c702096ad8
b7d078fa73d4a05c8216beddcb32493375d8457879525e026712e2a3e5198d89
cf960781f1a616c0277102db1d353fd73fa2c1e2642dac9e9a31aa21b8d5854f
42f5cbb12c4e13fb288fa434f31141d11f75f6a886623668d2d10f883dfc912b
4af374bbae171062a58c22a6a310fdeb2da768cf2bee3bceb8e7677a51c150fa
66fb500e98e755b7ec119c1e9477621ff55e1f08bcca1361c500cb3966d0fb6b
61f18c9b35079e3e414ea5d991e5bc8c1d408941584173d7e4d6d89721ff2d5d
2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866
91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2
ef191e2d10681d7e07d403c5a0f5c595fb55c54c9a66ddd6cabdb7af0d6f65b2
d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8becc9e6e2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36313/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample