MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2
SHA3-384 hash: 045e935081fcf37009bb5bd3fafab2d383d7538639e16b97b4416815d2ccb0ae5787f62678f3bbaa0e19eafbfac37578
SHA1 hash: 9faaf39fc05fa8bcb0bcc89c7aa0c766f1cd3d77
MD5 hash: 988ff706a05544cd025aa01399fd51a3
humanhash: hot-lemon-missouri-floor
File name:Bank slip.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:763'392 bytes
First seen:2025-07-08 08:06:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'613 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NX2SelyAFtKNrZ3hbRdPHzv1+/XhddWm0nhwMmoAv8dNIZ3olioUSdyv:NZe4CtKNrhhRdPHYpum0n6Rx5Foli
Threatray 1'553 similar samples on MalwareBazaar
TLSH T1FAF41268665AE714CDE65BB50372E3B862B05F9BE422C35349F9BCEB7D01AD13C40293
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 306296163498f230 (6 x SnakeKeylogger, 2 x a310Logger, 2 x VIPKeylogger)
Reporter threatcat_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13425/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3366.27745.30353.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686cd17ec9eb974737678947
Tags:
micro spawn shell spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/686cd18461f15fb42a34a595/reports/9d593f54-b426-48be-b09f-f4b230cc82b2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5456b1f3-202e-4992-84c0-ecdf06b10623
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.03 Win 32 Exe x86
Link:
https://app.malva.re/file/988ff706a05544cd025aa01399fd51a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2/
Threat name:
ByteCode-MSIL.Trojan.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2025-07-08 06:33:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sskbjaeycoxwtnb6jywewnztiky5kbvy5o2xolyhtgn2dagusza._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
09dcb03bd67ebe186aa8874c549c4e9c62f10fd0ae483b5bf6dc89e2003ebb71
SnakeKeylogger
0f8f4d5651684cb127cb4f921afda71d548b8a75c5976c8b0219586e4dc024d3
SnakeKeylogger
5b5f9ff4df3c30e75660a3b1a87df600a738bf8ed4f6aba3b2f947bd029de864
SnakeKeylogger
7c8cd2a13df9b59ba7a2ceea38ea591c133372f57c1aa8c8d55e9923fbe2d69c
SnakeKeylogger
error
SnakeKeylogger
f4655548728c3901356c8b6c1cecb9f5531872b1cadd914c057d26136a45d5fe
SnakeKeylogger
+ 1'543 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/250708-jzj1fssjs4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/454b153a-cd3a-4c7e-8d9e-bd35c216607c
Unpacked files
SH256 hash:
dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2
MD5 hash:
988ff706a05544cd025aa01399fd51a3
SHA1 hash:
9faaf39fc05fa8bcb0bcc89c7aa0c766f1cd3d77
Link:
https://www.unpac.me/results/bef43ac1-7955-4315-9e18-6b4260bc109a/
SH256 hash:
87656b5b6446c22dccbab5c41d124843cdaf598fa0827e52afb668606a5ff4b6
MD5 hash:
7c579ccebb6393f4fca04a3c528ce2a3
SHA1 hash:
0ae3402836a77118b4e9c908cf449e94a49a366a
Link:
https://www.unpac.me/results/bef43ac1-7955-4315-9e18-6b4260bc109a/
SH256 hash:
367f6f714a6eea148124d4669325471bb9bbd657920d148bfa7a31bc0646aaf2
MD5 hash:
e9b2ca3db70158f828ec05feeef8d70b
SHA1 hash:
a229a4a959a07f8901b12c38da7ed48c8f57928c
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/bef43ac1-7955-4315-9e18-6b4260bc109a/
Parent samples :
dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2
f1a63402b0f5d6fa912631cb835ab163cf88156bc391fb207af6a143b0162584
bcd2512db9d2789cd0ad058f0c2fd676cf37368174a75a95306f229df5d66dd2
717a837bfdc5f383080ba2ed80fe0fa7fceaac43d33a13f14d0e01ceeaa1ba95
beba2b05e09ceac79a59629fdb39331a95643a5bfa1fb4562ae748a0098a1f19
SH256 hash:
100c8f33020e697982bf18b160470c7094df965b18f10d405137f609c943d326
MD5 hash:
788d167bb8d2286d6d4c0f8779d25785
SHA1 hash:
ead153a5f6347c136a2f258c7a74371a00fff4df
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bef43ac1-7955-4315-9e18-6b4260bc109a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe dca4a0a404c09d7b4da1f2716259b99a158ea835c75dabb9783cccdd0c06a4b2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13425/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments