MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 18 File information Comments

SHA256 hash:	ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115
SHA3-384 hash:	02bd1b1790d42632a9177ec8115eafb3669f9631f913ea73992678360917a430cd5141105b92f3f11e010038528e528f
SHA1 hash:	0ad3175b30b07452a4ec80305a52682ebb28b5cb
MD5 hash:	aed893d588de29e1f758f287a330e497
humanhash:	illinois-alabama-pluto-blue
File name:	MT103 -3981002 11504.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	804'352 bytes
First seen:	2025-09-24 04:24:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:NMrXau1fKVDBaxGcMnZUJ86ZUfLcK2PF+B+QCjyh0Y:U30DCGcMneJChq8B1oyh
TLSH	T19405020132EDEB06C0B64FF50974C375573A6E99A526E31A4EE5BCEF3D35B011A062A3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MT103 -3981002 11504.PDF.z

Verdict:

No threats detected

Analysis date:

2025-09-24 04:31:56 UTC

Tags:

arch-exec

Link:

https://app.any.run/tasks/b98f6079-d419-4457-a771-b57a0534eaba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/28732/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d53d0ccc9425144151cbfe

Tags:

virus krypt spam msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68d37293c24f53840f2fe44c/reports/fe3500f8-3c21-4d92-961b-64fec5752f6a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T21:56:00Z UTC

Last seen:

2025-09-23T21:56:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Taskun.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Taskun.sb VHO:Backdoor.Win32.Agent.gen PDM:Trojan.Win32.Generic Trojan-PSW.SnakeLogger.HTTP.C&C HEUR:Trojan.MSIL.Taskun.gen Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82073d1e-10c9-4f17-9232-c08d97881749

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1783047

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86

Link:

https://app.malva.re/file/aed893d588de29e1f758f287a330e497

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5phxuqstbcckdiotdxxcyhdh24uvfnqdyjny42gl6vxzpd3vgekq._file

Verdict:

malicious

Label(s):

unc_loader_037

vipkeylogger

Similar samples:

error

SnakeKeylogger

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence spyware stealer

Link:

https://tria.ge/reports/250924-e1vfcsbq7w/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/0ca95ec0-a96a-4142-886c-d13f41175142

Unpacked files

SH256 hash:

ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

MD5 hash:

aed893d588de29e1f758f287a330e497

SHA1 hash:

0ad3175b30b07452a4ec80305a52682ebb28b5cb

Link:

https://www.unpac.me/results/bd326884-1162-46f2-990a-a911c1d4453b/

SH256 hash:

f40bbc64be1ae1bd0e7071652bca22131bf572c6422945eba21e01069c1fa28f

MD5 hash:

66a95daa7a2aee1d36613b30593524b3

SHA1 hash:

2e4f8600b4a889ba1d497bc292b43e680cfd7f5d

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/bd326884-1162-46f2-990a-a911c1d4453b/

Parent samples :

11e992ccc2b4bde2707713cd8c71b0c72c781ec22a6b3b96ae3af2bea8b38d58
56b823a94c3c6723b8ddc90cee68c6d71588144d2e01440b6802d61dac0ad148
ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

SH256 hash:

cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09

MD5 hash:

07ca79c30cd50df8c68d115eebd52475

SHA1 hash:

a70c058086cd6156059b9947aee5bcd3f75f3336

Link:

https://www.unpac.me/results/bd326884-1162-46f2-990a-a911c1d4453b/

SH256 hash:

17675bda94ad99787856c1e8c512e938e16f98ccfbe68f00775a6ee1736f3587

MD5 hash:

4a860380958930adba14fb469f6e198d

SHA1 hash:

f43b3ccfc04bcae99d7189d1720a113076681a30

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bd326884-1162-46f2-990a-a911c1d4453b/

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ebcf7a425308/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ebcf7a42530884a1a1d31dee2c1c67d72952b603c25b8e68cbf56f978f753115

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)