MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13
SHA3-384 hash: 45cd15f2eddfc7ca299c7b13ef6c020c6f0c908eda642f3705ed8764182ed90a07a4349e25259ecee4a5f301a41940d8
SHA1 hash: 58fddd492b6896cbf5d25ef8a6d1281e10ea465c
MD5 hash: 2a783ac0084e8fabd29b385e208acfc0
humanhash: pizza-monkey-johnny-virginia
File name:PO#84235.zip
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:646'080 bytes
First seen:2025-06-24 13:11:36 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:EkNmUInmNux9Pmz3Qz+S/v6SLDOHG7eR3UBOQ9bypqClcqHWI1vSOIt3h:nqu3QdXXZeRtQ9KzH9ItR
TLSH T154D423F8E3817C198F93749DE542E178BA05E5AE3DD9652A0C0BB398D08AD6F5C23F50
Magika zip
Reporter cocaman
Tags:SnakeKeylogger zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO#84235.exe
File size:1'098'752 bytes
SHA256 hash: 6ef7e6b7f68656ff45e2d4a671b740aad9ca63a1e0fba6a4a11528b728f93589
MD5 hash: 11e66ad58752289e44260f8c13615c2a
MIME type:application/x-dosexec
Signature SnakeKeylogger
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs292.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.FileRepMalware.13932.25137.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685aa443b06783b9ebd6d299
Tags:
autoit emotet
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Labled as:
Trojan.Downloader
Link:
https://www.hybrid-analysis.com/sample/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13
Verdict:
Malware
YARA:
3 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) Suspect Zip Archive
Link:
https://app.malva.re/file/2a783ac0084e8fabd29b385e208acfc0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-06-24 05:35:29 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5weo4kyz27qd5nakmbju5bt5vgx5npnkpj5l3oayepr3ciyhvyjq._file
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger stealer
Link:
https://tria.ge/reports/250624-rzjzfsvvbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_404keylogger_g1
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip ed88ee2b19d7e03eb40a60534e867da9afd6bdaa7a7abdb81823e3b12307ae13

(this sample)

SnakeKeylogger

Executable exe 6ef7e6b7f68656ff45e2d4a671b740aad9ca63a1e0fba6a4a11528b728f93589

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6ef7e6b7f68656ff45e2d4a671b740aad9ca63a1e0fba6a4a11528b728f93589
  
Dropping
SnakeKeylogger
  
Dropping
MD5 11e66ad58752289e44260f8c13615c2a

Comments