MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
SHA3-384 hash: 3536b6a7cb8930c54a81a512cb6daa065ab08d440c99d4b65a9d52218468a63e103a2c3e1af8a2e0430742c9ca6e1f53
SHA1 hash: 258d96b1191bc37744068c48cbaafe55ea418cbe
MD5 hash: 8ab3ee4bb7812c86e3c9c5a0b51e7a87
humanhash: utah-california-mars-west
File name:PURCHASE CONTRACT.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:736'256 bytes
First seen:2025-08-11 06:19:11 UTC
Last seen:2025-08-14 11:06:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:ono3N6DQlVCqhOCRh2NG0q22wEGO6qjVkWP1gE+KJQ3JZC3piwt+nCjRyYeRgHHl:PN6UVCqhOCRhR0++mmoXf3QCc4
Threatray 3'236 similar samples on MalwareBazaar
TLSH T122F4129F2468C157D0983AF600B3E7B217A80D5FE661E242E5C4EDDF79AB35249183CB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon d9b8e8e8e96982ce (6 x SnakeKeylogger, 4 x AgentTesla, 4 x Formbook)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
52
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE CONTRACT.exe
Verdict:
Malicious activity
Analysis date:
2025-08-11 06:21:57 UTC
Tags:
snake keylogger evasion telegram stealer exfiltration smtp
Link:
https://app.any.run/tasks/9d5470ed-8b12-462b-908c-cac90cda3cf3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20039/
Detection(s):
SecuriteInfo.com.Variant.Genie.8DN.1084.29475.7633.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68998bb6fca70bd90e8dfce1
Tags:
phishing spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9639d767-148c-40e6-9c2c-479d7aeff793
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 07:55:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 36 (69.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hcliiydcse5l2rw42bpokpzqf4j4aqnztfid2t3fp6o54pomlgq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
a940014a730129f95371c84c982bcbf378586e7afd6eb2f3d0acaf0d15a8ded4
SnakeKeylogger
af6e3afe54776fbfcfd18d707576ea0ae9504da1d53f7af1ae41fd71408816d4
SnakeKeylogger
c53170393e7825648709b042f54ff764a4228f38b31ecf29b7e7d971b4e42b56
SnakeKeylogger
c8b76fc09a283dae6e7ed2f6cae8e31d0b4038abf3f851da15672110b99fd23e
SnakeKeylogger
+ 3'226 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250811-g47afagl4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/2eda3c63-2c2b-4f6e-b175-61d6a3f6bae7
Unpacked files
SH256 hash:
f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
MD5 hash:
8ab3ee4bb7812c86e3c9c5a0b51e7a87
SHA1 hash:
258d96b1191bc37744068c48cbaafe55ea418cbe
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
b10716906f3ba7612989cd3a5d6074501f1d37d5789cf5612530260278a15ebe
MD5 hash:
f0783848fc0e26ab6b6fd64344a674ca
SHA1 hash:
2995c6732cc3c8633734067f04c2b0c5eb71e3d0
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
70da79e06c8c6e21a0e48176dda5b2f92ff543e9daafe302025f5566c92d6dd3
MD5 hash:
2e3071d9cace46dd3c3d57bd4061ac65
SHA1 hash:
849b0edf8520bfd25d4c4831aabfc4ae43d10430
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
bf055955186bbe08f6ca366549751310f1958eb528d0fb029c457425963c76ad
MD5 hash:
2db6bc1c88650472ee9780cef12e7a77
SHA1 hash:
02ba920c9a63374cf0ede1bef4a95ece6aa047b8
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
a1ac165099fab5b1c0742eb94cfc2de59f151f6a15f3b10d4b99dd4824ad164d
MD5 hash:
53c63d389079a76dc0c2fa4d83f7d264
SHA1 hash:
49a3aefea712691446df8bc12157294f78e59cf3
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
f2c69390380a9307aafd9cdc5aa9a7cbd02bf848e664a68821cd13da215498d4
MD5 hash:
3dcd931259fdb922f050e23ecc70d6ec
SHA1 hash:
65192a73dd0c173c9c2c729ded8f534ee9e0187e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
a0d934af8a184afda7ea82006ac38a49e89d0bc6c3973e82347a79311ef1144d
MD5 hash:
d5dd41e6617cb3fc545bc3e08d559292
SHA1 hash:
685680b99c84604e29e5ffa5e6a06527c2eb1997
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
d40f39e371123a77c63098be50ec1a2560778b8bb40f912a5dfb40857b2f1360
MD5 hash:
6248d192a16d1635c97b22923f84bd9f
SHA1 hash:
907f25fd5080e325e0d3691e36a0957c4a6efdd5
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
ccd22eb1a9857f8cc1b1b33857a35ad6d1b4a3ae788e81e7b29b6d27629a2bc8
MD5 hash:
0d133e5bf6aaa190ab9e245dcc7d5543
SHA1 hash:
976757c60f4f31443b7eb356878da6a28c8c2816
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
SH256 hash:
1bbf0181a363a94c8ca224de542a62392aa6a9ab08d30b464859f9e7d7a7bdb2
MD5 hash:
508179f76be01be3298059c7e4f1536f
SHA1 hash:
97bb4d557e762807f832423476d829e6f83d19e4
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
Parent samples :
6bfefb0f3b8a878aec69c3d830824c3bf7d5181ffd6d6e88dc4a8d793370c233
f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
fb114b07eab8c5dd7faf8dc1b15f79cda7043f283f17c2c89797c57112d926d1
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa
SH256 hash:
35e7225fea67de12a03b13bd25124d173d66d882f5d68b59eb8455c9f16e546a
MD5 hash:
bdd7858efac937a99b1acc590d63ef5d
SHA1 hash:
b7411666cfee1439abba8b46959031a70203f344
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
Parent samples :
8b11fcca89381e3f89964db156074fb4d4a00a5b0963010fd9396a2463e84034
f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd
5ad3f15faf80e24a6c002f577b2b00b2039eec0d19f848cfcfeea9d494ef83dc
2b2ae966d34a67db06f6538a4f9c0b091899546beabbc4f28bbb23e5de7b9c69
593b2dd3e7a1806f5f97341c297792834c28f57fb95e33c4528c733a9fed4c73
SH256 hash:
6300c2fc86c29d58c6993c0105f1db3e1213eb26a6a2cf2fae966bf939b7b0f3
MD5 hash:
b135cc9f3477e6a13d0c069dcb40e435
SHA1 hash:
ef1ff866988afb0be1c2ab6345b8577c7420c7e0
Link:
https://www.unpac.me/results/2908a73a-54f5-4074-b255-7d662e517bfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f1c4b423031489d5ea36e682f729f981789e020dccca81ea7b2bfceef1ee62cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/20039/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments