MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
SHA3-384 hash: 4fed97b9d344213eb5f456d7da27b6df19c3f0a05e9198db878a7c59dafd3b8901ffcdfb494c64231ddad454b4cf9437
SHA1 hash: 81a64e2be196d5b9bb156fade46fb35ef84d48df
MD5 hash: 42e0640802d6415c8aa3052d333cad18
humanhash: high-colorado-mountain-wyoming
File name:Vessel Details.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:617'984 bytes
First seen:2025-10-23 16:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:HhI2320cX3xSq0GYqClWnixarlf6X7bTfAB8CSnfxGwGw4EuM3HU9Ck:H+2VcHsq0zqClxay7bTUSnfxGw4HM3H+
Threatray 579 similar samples on MalwareBazaar
TLSH T1ECD4F1583A2ECF16C4A51BF259A0E3B023B46E4AA511E2179FE67CEFB435F45290C713
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vessel Details.exe
Verdict:
Malicious activity
Analysis date:
2025-10-23 16:49:03 UTC
Tags:
snake keylogger evasion auto-sch-xml stealer
Link:
https://app.any.run/tasks/78e71b48-4846-4d34-bf71-a5a4fae5ca7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33934/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fa5c723bdc93eb0563897b
Tags:
backdoor spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68fa5c6cc85c5c569733f27c/reports/42a90b99-5410-4973-8457-44d126a37704/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-23T05:20:00Z UTC
Last seen:
2025-10-25T01:35:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Spy.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb VHO:Trojan-PSW.Win32.Stealer.gen Trojan.MSIL.Taskun.sb Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f56ec78c-c20c-4264-90a4-2e24ff6459c2
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1800781
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses TOR for connection hidding
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1800781 Sample: Vessel Details.exe Startdate: 23/10/2025 Architecture: WINDOWS Score: 100 51 mail.onionmail.org 2->51 53 reallyfreegeoip.org 2->53 55 2 other IPs or domains 2->55 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Sigma detected: Scheduled temp file as task from temp location 2->71 77 8 other signatures 2->77 8 Vessel Details.exe 7 2->8         started        12 eScqiXdLqr.exe 5 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 73 Uses TOR for connection hidding 51->73 75 Tries to detect the country of the analysis system (by using the IP) 53->75 process4 dnsIp5 37 C:\Users\user\AppData\...\eScqiXdLqr.exe, PE32+ 8->37 dropped 39 C:\Users\...\eScqiXdLqr.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\Temp\tmp516.tmp, XML 8->41 dropped 43 C:\Users\user\...\Vessel Details.exe.log, CSV 8->43 dropped 79 Modifies the context of a thread in another process (thread injection) 8->79 81 Adds a directory exclusion to Windows Defender 8->81 83 Injects a PE file into a foreign processes 8->83 17 Vessel Details.exe 14 2 8->17         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        85 Multi AV Scanner detection for dropped file 12->85 25 eScqiXdLqr.exe 12->25         started        27 schtasks.exe 12->27         started        57 127.0.0.1 unknown unknown 14->57 file6 signatures7 process8 dnsIp9 45 mail.onionmail.org 173.249.33.206, 25 CONTABODE Germany 17->45 47 checkip.dyndns.com 193.122.130.0, 49713, 49717, 49718 ORACLE-BMC-31898US United States 17->47 49 reallyfreegeoip.org 104.21.67.152, 443, 49716, 49719 CLOUDFLARENETUS United States 17->49 59 Loading BitLocker PowerShell Module 21->59 29 conhost.exe 21->29         started        31 WmiPrvSE.exe 21->31         started        33 conhost.exe 23->33         started        61 Tries to steal Mail credentials (via file / registry access) 25->61 63 Found Tor onion address 25->63 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 35 conhost.exe 27->35         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-10-23 08:32:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
14
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eq64bcnbghilmcw5evwo2mkrksn6ifaosxhhrt6t7gr6ve26h3a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
404keylogger
Create hunting rule
Similar samples:
364e7e17deb7c093a0c50be1bc63b42688f05a0be7816d47cbd648b8e984861a
SnakeKeylogger
43d7aada2fc0643b2edd373d5cd86f86f441040fbbd578820d271829b6ff0796
SnakeKeylogger
be127489937f1f8730ef6d8f24f526e58d27d6673b61a66911b4988ccb6f84de
SnakeKeylogger
d80e5353fa1942cb04ab1f9616e401835a42d292e4b4630a79340f1776eebe8b
SnakeKeylogger
d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
SnakeKeylogger
e19d342775986dfb5989a9691f119d23303de16bebe50c0d7749b575e3aa392e
SnakeKeylogger
error
SnakeKeylogger
+ 569 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/251023-vbza1sfx3e/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/056bf909-b291-42c7-8590-15d4cf0f058d
Unpacked files
SH256 hash:
d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
MD5 hash:
42e0640802d6415c8aa3052d333cad18
SHA1 hash:
81a64e2be196d5b9bb156fade46fb35ef84d48df
Link:
https://www.unpac.me/results/b713f1d0-9b4c-46b0-be90-8705c18462a7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d921ee044d09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33934/

Comments