MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
SHA3-384 hash: 010b785746d101bcabbc11f3b5b76817a71e19df470164b3c5471340b861cc824275e368d9f326b7786e81d2cb41590e
SHA1 hash: e931df3bc6e278e9a432ebddf9117941cb71d7c5
MD5 hash: 93fe5b6e560ab23e63b695a30c301372
humanhash: fillet-ink-october-social
File name:e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'049'088 bytes
First seen:2025-07-07 14:26:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:BsxVb6+YzuJQe9babq8xzDFvbdVmRZoeC:Bsxl63zutsq855vbdV2Zoe
Threatray 2'784 similar samples on MalwareBazaar
TLSH T191256B9C3650B1DFC897C572CAA89C74EB61787B531BC203A09715AEBA0CA97DF144F2
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 40b974c4d4602858 (8 x Formbook, 6 x AgentTesla, 6 x a310Logger)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12890/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bd957c9eb974737676cd6
Tags:
keylog spawn spam word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b7f1599-4ea1-4c18-9b59-ae4b670bb79d
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.14 Win 32 Exe x86
Link:
https://app.malva.re/file/93fe5b6e560ab23e63b695a30c301372
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 06:12:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4n7hhr43mn4o2qfx7vukw26lbsn4xdppeqk3qgtycezzlclja7sa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
66f078e58ebd64a0dc663e8b45e21469d9b7b020b130d7f4bd31de6de4a4ce7a
SnakeKeylogger
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
SnakeKeylogger
d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d
SnakeKeylogger
e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11
SnakeKeylogger
f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0
SnakeKeylogger
+ 2'774 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250707-rslvgaek31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eee41bd8-6b80-44e3-91de-3eec1100fa99
Unpacked files
SH256 hash:
e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
MD5 hash:
93fe5b6e560ab23e63b695a30c301372
SHA1 hash:
e931df3bc6e278e9a432ebddf9117941cb71d7c5
Link:
https://www.unpac.me/results/71bcac65-d944-4eef-96f3-5daf9e398349/
SH256 hash:
66b638c9f8699ec8482c352c313fcf48860fc79ae24e18614f3c644f97cbf5ef
MD5 hash:
4c416e37e6b06ab8abe40221eb37a92f
SHA1 hash:
097228c7fceba6bd945987fa7d234e26e6b95f84
Link:
https://www.unpac.me/results/71bcac65-d944-4eef-96f3-5daf9e398349/
SH256 hash:
080dc1fbb7c8e11058f17eb020b60de7c1c21a9f08b955dc7cfb74d88d1071fa
MD5 hash:
e0ea65adb4d2f367078a1ee2972c680b
SHA1 hash:
34d35ab3c322f27c041a6f2b747779aca70ddc62
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/71bcac65-d944-4eef-96f3-5daf9e398349/
Parent samples :
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
e164aa93521e044a988d12b9f9c996a602d473a94f7b9ea910cfd7da820f52a6
7fea3f280f7aed3bf963dd88226ced21fedaaee1c2f7e0bdb7f5bced416711dd
fe8abf598767162b0eb16dcf51205afcfd221eb2b2f23f32e5b286de19561df8
4a6dcfe4dfe7d02d44962cb9e47d87d6d755d0a9481a8013b145eb674ba567a0
368c3f4373be7b2de2adb08b623315e12d69d4d3f174c6a5d5b3e892a85fee51
62bd1a4886eaea5b5bbd21eea90540913b0a7a573305b0eb7c58cc61e93ecea0
d70b075d8b89da01a7990219aa08a64cfc93c5b915ac3217fc26c412e4f11122
e37e73c79b6378ed40b7fd68ab6bcb0c9bcb8def2415b81a78113395896907e4
8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
SH256 hash:
f17da382e5ca7ae33920b1cb41c43d16986ac1f9f048fca5fa0d87a704818a53
MD5 hash:
b7304b65701a594d612a7b9070baeb50
SHA1 hash:
622065f9e1f8addcb2101c7ba0ad95413dfc1e8e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/71bcac65-d944-4eef-96f3-5daf9e398349/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:growtopia
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked growtopia stealer malware samples.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12890/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments