MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 19

Intelligence 19 IOCs YARA 17 File information Comments

SHA256 hash:	ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8
SHA3-384 hash:	0b9ef982880baa8944d2e205eaf6c4eed5407776bbe9d733645713eb8c39ab56a09925856be72a065ff5b3d19f00f8ae
SHA1 hash:	3d4e2b64008ea7feefc4e8a87b3b30701c8c1e1e
MD5 hash:	ffb2de3bb02b0b895e42f7de29f4071b
humanhash:	beryllium-harry-connecticut-sad
File name:	z97FDS98765450009876545678900.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	585'728 bytes
First seen:	2025-10-13 16:30:06 UTC
Last seen:	2025-10-13 16:57:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:xfO7xKqXxB/CHfh9sIKqaIzgDLh+2ZeXO4yQZqPbbEKt:U1V/C/hCIBrzELh+2Z14yQ8fv
Threatray	870 similar samples on MalwareBazaar
TLSH	T10EC412582305EB07D8A197B84AB1F23917BC2EDDA900D3265FDABDEBB533B054D40297
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	FXOLabs
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

z97FDS98765450009876545678900.exe

Verdict:

Malicious activity

Analysis date:

2025-10-13 16:30:44 UTC

Tags:

snake keylogger evasion stealer auto-sch-xml

Link:

https://app.any.run/tasks/61b97bc0-c054-4e0e-9513-3094fc625c4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/32567/

Detection(s):

Porcupine.Trojan.Spy.MSIL.SnakeLogger.gen.442830.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ed2958f2ca2f143e421e5a

Tags:

stration spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed vbnet

Link:

https://www.filescan.io/uploads/68ed295271883144ef349e8a/reports/1f1c31e7-02a1-45e9-bdb2-f18c5e605b71/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-13T12:48:00Z UTC

Last seen:

2025-10-14T14:59:00Z UTC

Hits:

~1000

Detections:

Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Taskun.sb Trojan-Spy.Agent.SMTP.C&C Trojan.Crypt.TCP.ServerRequest Trojan-Spy.MSIL.SnakeLogger.sb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.MSIL.Taskun.sb not-a-virus:PSWTool.MSIL.BroPass.sb

Link:

https://opentip.kaspersky.com/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01c2f1e7-d8af-407c-b160-60f62ab01996

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.41 Win 32 Exe x86

Link:

https://app.malva.re/file/ffb2de3bb02b0b895e42f7de29f4071b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-10-13 16:11:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5wpcoaxbjmd65l7ebcvz2zwttk5roahc63huyf25wsgxig6rtt4a._file

Verdict:

malicious

Label(s):

404keylogger

unc_loader_037

SnakeKeylogger

0f67fe74fb4cf4338c01d4fef99efbc2d7fa49d5acd524e0dd7a7700c8c80af4

SnakeKeylogger

9cb0848b2a33dbaacfcbfbc734430161d65a3408e66ef4b369a9f3139a3e1b3c

SnakeKeylogger

e40ed83719528313ef5d65bb1ab4db9226a5e3d7421863f3375d94243db78049

SnakeKeylogger

ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

SnakeKeylogger

error

SnakeKeylogger

+ 860 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery execution keylogger persistence stealer

Link:

https://tria.ge/reports/251013-t1c9eagl31/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2507c335-ec59-4e3a-a92d-61dc80f0ab55

Unpacked files

SH256 hash:

ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

MD5 hash:

ffb2de3bb02b0b895e42f7de29f4071b

SHA1 hash:

3d4e2b64008ea7feefc4e8a87b3b30701c8c1e1e

Link:

https://www.unpac.me/results/d9551e36-d4e4-46ca-b091-b628cae35056/

SH256 hash:

5d44cf19852c5cd794e2d62809b63b94725fa3fb6448cadf85e3176f7c33fd9d

MD5 hash:

07eae10df342c0f8f4b66efdbac005a7

SHA1 hash:

02ec10a8406c2e7bbd321c44bc8b79dc6aa2f0f5

Link:

https://www.unpac.me/results/d9551e36-d4e4-46ca-b091-b628cae35056/

SH256 hash:

d5daa4f020b1c5dfd6c73e05e5e2899fc85e0208ab3acda2da76822ad350ae96

MD5 hash:

cfe5100d4a03610f87944051a799cec1

SHA1 hash:

87c3cfac5c64561138ab1eccedcfeab1ef3f5d8e

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d9551e36-d4e4-46ca-b091-b628cae35056/

SH256 hash:

ab074c17469c78b73adabc252b28e58f94d33b35cea7d3c4cba735a4d625a457

MD5 hash:

8eaa8a9fee469ebc5b4552a148d67d19

SHA1 hash:

c20c781989f22a2e2c1f73c3e6e1b37d8190af00

Detections:

win_404keylogger_g1

win_masslogger_w0

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/d9551e36-d4e4-46ca-b091-b628cae35056/

Parent samples :

ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8
b50a00929e501313e1973833528b15251bdc410bf43f0328617af7c702096ad8
b7d078fa73d4a05c8216beddcb32493375d8457879525e026712e2a3e5198d89
cf960781f1a616c0277102db1d353fd73fa2c1e2642dac9e9a31aa21b8d5854f
42f5cbb12c4e13fb288fa434f31141d11f75f6a886623668d2d10f883dfc912b
4af374bbae171062a58c22a6a310fdeb2da768cf2bee3bceb8e7677a51c150fa
66fb500e98e755b7ec119c1e9477621ff55e1f08bcca1361c500cb3966d0fb6b
61f18c9b35079e3e414ea5d991e5bc8c1d408941584173d7e4d6d89721ff2d5d
2cdd6fb6cace668f883a8e0134248e484d9a3504bf60b53c7f55fad5ec6eb866
91f364727c5515a37f48a0b1a9eb0782ef5cd2f7d2ad49f1f44beabea75089d2
ef191e2d10681d7e07d403c5a0f5c595fb55c54c9a66ddd6cabdb7af0d6f65b2
d8becc9e6e2f778b79f2fbc7de9d7a922aeab696ba2a799fbcf9ed1267a171d1

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ed9e2702e14b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/32567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample