MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e
SHA3-384 hash:	e048971d1754eea6c65c5b4e0ae84df2ddf7bfcb4c5960e5c1cb1290b09bc69ceae441d99d7cd3f72d79a2c06729db00
SHA1 hash:	6f7c4aa1dca58c97a20b1ae5be7b2871bc3e30d7
MD5 hash:	dce8941fe722e84f7ad5996b8f89340a
humanhash:	whiskey-illinois-tango-hot
File name:	SecuriteInfo.com.Win32.MalwareX-gen.25869.11238
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'245'696 bytes
First seen:	2025-07-07 05:16:07 UTC
Last seen:	2025-07-08 06:46:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:Bhl0JXeCtKKRzdhE/FvAupiPsIOWcb1xNZTbC2FbrZReYisGE:BOXeCtrRxhENhpiPs7xrT3FbrZ0sGE
Threatray	2'074 similar samples on MalwareBazaar
TLSH	T123458B4272A5E86AC67A8AF1C920C6F393716E07E618C28F0CD57DCBF5F1F0609A1657
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	e9f0d2d2b6b2b28e (4 x SnakeKeylogger, 2 x XWorm, 2 x NanoCore)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12597/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.25869.11238.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686b581ac9eb9747376749d3

Tags:

backdoor spawn shell spam

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap obfuscated obfuscated packed packed packed reconnaissance roboski stego vbnet

Link:

https://www.filescan.io/uploads/686b581a9db85bde254e16a5/reports/d6ebe9e0-ce23-46fc-a292-bc6f9393ed25/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a0c6c762-7790-41ce-b229-f4cdbca3d85a

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.13 Win 32 Exe x86

Link:

https://app.malva.re/file/dce8941fe722e84f7ad5996b8f89340a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e/

Threat name:

ByteCode-MSIL.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-07-07 03:34:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ntxenaulqyuqvbrasofgebk62mxvpc7qlvtvcuukegw2krqr5xa._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

SnakeKeylogger

3e6b66523370ec176bde58dab3c924ccd833f92e1773359aa7e778baf5f3b511

SnakeKeylogger

47af16cc5a248cf055155a57d1eb07844113a00c7a84802588ef7dc5f007880d

SnakeKeylogger

b06c40802695123acaef9a4d74fa336c0d60779031678ba78368673ce6b00e2a

SnakeKeylogger

error

SnakeKeylogger

f5c2ca5c0224f07b3379faeb4d38d468e3266a939731a540700265568c5ee5a6

SnakeKeylogger

+ 2'064 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence spyware stealer

Link:

https://tria.ge/reports/250707-fx66esysfz/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7937222094:AAGs7901qwrqTbGe8qNzV4zjwWFTKEQD8W8 /sendMessage?chat_id=7886581547

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7874fe72-ff1f-41b0-8acd-c2bb7ef33864

Unpacked files

SH256 hash:

e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e

MD5 hash:

dce8941fe722e84f7ad5996b8f89340a

SHA1 hash:

6f7c4aa1dca58c97a20b1ae5be7b2871bc3e30d7

Link:

https://www.unpac.me/results/a40a65cd-509f-4353-ae6d-a889eea0987a/

SH256 hash:

3572818b9fd5c037b2d14e51d6b631a8c75de133bfac47895d625d039de35884

MD5 hash:

4cedaff8a5bca28569294e52af5f25b3

SHA1 hash:

6650913273fe497ef4d168282bc7c3b22a7f65d2

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/a40a65cd-509f-4353-ae6d-a889eea0987a/

SH256 hash:

cc89374814480be383c48c9535cb2dcd3bec12c30ebd589a0e3f0494ef0a271e

MD5 hash:

30ee63bed7c5751578b057b9f1dddc49

SHA1 hash:

6fd54345ce3311b717c824d5c00729719c8ee86d

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a40a65cd-509f-4353-ae6d-a889eea0987a/

SH256 hash:

6b3803d57b5033582d424c2c48ca7c535c2c927a12d56269a413cb61c9c569c0

MD5 hash:

8b2d87ec0d6097cf4cbd324745a2befb

SHA1 hash:

7968b1b4a8053b011dff164c9b6d5862f419f7a2

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/a40a65cd-509f-4353-ae6d-a889eea0987a/

Parent samples :

e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e
27a52e38bbd0eef6a1eafece6090fd12543b92fdb1f909e10b6c1ac2f1981449
b1f70f9487ea2c45aa51bf83894ff40e7a8ed522ef2575a1ec1663f0374fa14b
0f62a0bd2f5e4686de5392a0025e45d5b3d222eca4380d63f40010ef671a931a
09dcb03bd67ebe186aa8874c549c4e9c62f10fd0ae483b5bf6dc89e2003ebb71

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3677234145c31485431049c53102af6997abc5f82eb3a8a94510d6d2a308f6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12597/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample