MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
SHA3-384 hash: 82ef334b694ebfcb87d521e2094c0ea6b0935ed7eaa36d8167ff6363b19d7143a1955bdaa13147c36a243bc4b7d5a034
SHA1 hash: 049e32c01a33f8341a617de54a259c695c7e47dd
MD5 hash: ec6be823b3c14ccf89ed5a3091e3aa93
humanhash: florida-pip-hotel-undress
File name:e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:642'560 bytes
First seen:2025-06-10 08:45:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:xkqe5/miSLIPPdFcoavq1/3VRGlTRG2wSIzf+fVqfT9:xkqm3jnTcoaSd3VRuuSIzf
TLSH T19FD4F19C3101F44FC49782B449B1EEB86B746D9E5702CB43DAD72CEBBD2D68A9B041D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0040404971716800 (10 x Formbook, 9 x VIPKeylogger, 9 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
Verdict:
Malicious activity
Analysis date:
2025-06-10 10:09:45 UTC
Tags:
netreactor snake keylogger evasion stealer ims-api generic
Link:
https://app.any.run/tasks/b99dd7ed-e68e-4819-90e5-f58e5b02506a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8380/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6847f0db8bd5d68a12e757a2
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a7cc3e6-c6b9-42d7-8928-f9186f347044
Result
Threat name:
PureLog Stealer, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711664
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711664 Sample: U2Kf8dYt5D.exe Startdate: 11/06/2025 Architecture: WINDOWS Score: 100 31 reallyfreegeoip.org 2->31 33 checkip.dyndns.org 2->33 35 checkip.dyndns.com 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 49 8 other signatures 2->49 9 U2Kf8dYt5D.exe 3 2->9         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 31->47 process4 file5 29 C:\Users\user\AppData\...\U2Kf8dYt5D.exe.log, ASCII 9->29 dropped 51 Self deletion via cmd or bat file 9->51 53 Uses threadpools to delay analysis 9->53 13 U2Kf8dYt5D.exe 15 3 9->13         started        17 svchost.exe 9->17         started        signatures6 process7 dnsIp8 37 checkip.dyndns.com 158.101.44.242, 49681, 49683, 49685 ORACLE-BMC-31898US United States 13->37 39 reallyfreegeoip.org 104.21.48.1, 443, 49682, 49684 CLOUDFLARENETUS United States 13->39 55 Self deletion via cmd or bat file 13->55 19 cmd.exe 1 13->19         started        57 Changes security center settings (notifications, updates, antivirus, firewall) 17->57 21 MpCmdRun.exe 1 17->21         started        signatures9 process10 process11 23 conhost.exe 19->23         started        25 choice.exe 1 19->25         started        27 conhost.exe 21->27         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 05:51:42 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4oohhbzdfpibtmkyie63kzwbfdoopgupjvr3j23csbx2dejchrkq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250610-kpdw5avpz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0015b349-8469-4974-adc2-eb219d2ffd62
Unpacked files
SH256 hash:
e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
MD5 hash:
ec6be823b3c14ccf89ed5a3091e3aa93
SHA1 hash:
049e32c01a33f8341a617de54a259c695c7e47dd
Link:
https://www.unpac.me/results/a4620c2c-cb80-4d65-8c99-2978720c0ca2/
SH256 hash:
0656f59c9e7cfa07d64cf4cd7d85ebd9b4399893cc853f3d1d37cca622d1f815
MD5 hash:
e4a8fe009b340647108a98105600f476
SHA1 hash:
03193855202feecd4bc542876855e706a243f13b
Link:
https://www.unpac.me/results/a4620c2c-cb80-4d65-8c99-2978720c0ca2/
SH256 hash:
85cf59077d56a0ef98e10d2d1efc9fc7e52d6a871638988d8d70ccb10009a5da
MD5 hash:
d4dfc05b4853e3c268784ccf67afa9f4
SHA1 hash:
2c8be02e30d19e1f4ef8dc944d15a8e729494dd7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a4620c2c-cb80-4d65-8c99-2978720c0ca2/
SH256 hash:
f210e3d4efd3fe140d27c33169b21df09de3dfec657e4f2ae29c5e3b2a4ad9f8
MD5 hash:
fc5a17c355f0fa12c27dfdfa135f42f3
SHA1 hash:
b5ec68230770d777e43552be50d8d25ef0e04b6b
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/a4620c2c-cb80-4d65-8c99-2978720c0ca2/
Parent samples :
7b62e2e0e51bc3923d80d98a074afdc84c8435c602f7d419c785d1907252312d
58792f2b2ce47f9bd6d3f5f7d3450d6ceb982836ec004b182f732b07d20ba4aa
b123d66d76053e9370b833030e14cabe3570a8d312514560a6d3a9102c341c53
e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55
5fff2b1da9f0c16196866c52606a2fd33ea685e67bea490057724bcec780e131
75d436daf3a4884c7ac1e12650cc105232a2778f769028e50a837ef14034ddab
ae0d463b6861b38c1050a55ad8fc4a111922e42c96f85df47053dcf838db07ad
46606eb69b6c1fd22b96ca8f40813375c6e208bd7d9c37e18129b88ae338ce2e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e39c7387232bd019b158413db566c128dce79a8f4d63b4eb62906fa191223c55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8380/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments