MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
SHA3-384 hash: a01e07c9e702c213b5157b5091a78f47437ab2fac976bd97e342161666cb36dae796440014531fe60bf43f225e45e71b
SHA1 hash: 46982645d464196ca5c4b96d94538449eb3d66fc
MD5 hash: 79632e6ea47abf22b75a1610639fa5b2
humanhash: march-wisconsin-july-chicken
File name:Proforma Invoice.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:747'520 bytes
First seen:2025-07-22 10:41:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RTbgzzuzAocQ+7FlxlDxOeaFZH4Gp32jq9XrLXEWJ//3plP:RTJzAA6FlxlD8LrlvXZ5lP
Threatray 3'186 similar samples on MalwareBazaar
TLSH T10CF40108311ACB06C87A8BB41A36D2F013B66E8D6821D71E9ED67EEF3C7AB411705757
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice.exe
Verdict:
Malicious activity
Analysis date:
2025-07-22 10:44:04 UTC
Tags:
netreactor snake keylogger telegram evasion stealer exfiltration smtp
Link:
https://app.any.run/tasks/86f36cb4-8550-4152-a3bc-44e6c896dd78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16306/
Detection(s):
SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.4597.19176.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687f6b922f623871a5f1c14b
Tags:
stealer virus spam msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/168efea1-c125-41f4-b2ed-b5e6fb98a123
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/79632e6ea47abf22b75a1610639fa5b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071/
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2025-07-15 11:53:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6iqvamhcllhenvm647fc7ujmjt5y23zcbwci4unl2k55cpey4byq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
4d4f4dd3dd03d3ff63689d10675978b1e232f7d1429eca28cd3d9525824817eb
SnakeKeylogger
624f46db29045d2f0a16dd88f64ba2503febaadb7f0b721df054bbe7dbad23e9
SnakeKeylogger
804cb8891f2829caf32366e9efbbeedd19eab55288ca94702d1c29ffded6d463
SnakeKeylogger
92d083bf8b8d5e5aa7162480dac9c3e8f402365bd67c8936f199b7c9ff32bf9c
SnakeKeylogger
c430eda3d7263ffd0e07235b29cd7f54961c51091e4ab3bc38d72891c6233e61
SnakeKeylogger
error
SnakeKeylogger
+ 3'176 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250722-mslggsvsct/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0917e55-7733-4d07-adc9-a0638f86969b
Unpacked files
SH256 hash:
f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
MD5 hash:
79632e6ea47abf22b75a1610639fa5b2
SHA1 hash:
46982645d464196ca5c4b96d94538449eb3d66fc
Link:
https://www.unpac.me/results/5e2d6bda-11e1-424b-b139-6547aa3e9144/
SH256 hash:
14725c2e4d97123050fab53d956a1eb027afefa2904111bcfca0751387c306b8
MD5 hash:
7c5818ef062d25ecfbcb7db884a530c5
SHA1 hash:
241525d7500302bb0a91b15d71a6ca0da0ee0d23
Link:
https://www.unpac.me/results/5e2d6bda-11e1-424b-b139-6547aa3e9144/
SH256 hash:
13458dd050a25036fb51bc701f32762e9c29bd77d97765637508a0a1fe7a4be1
MD5 hash:
e59b0f345b4d2a77531d8673d34d4314
SHA1 hash:
723a9c392098334a0f74fec8b0ad0a9c317db7fe
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/5e2d6bda-11e1-424b-b139-6547aa3e9144/
Parent samples :
eb54ebd946de089a842c01f8f72e8d74e7308f22d01b1c5e422aef85807494e2
b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
1fa3c4e703405564123cb7d433d69566075ae20b4ba894c91681b0f55b14c14d
1a8cae4d0b7aed52a77e8e33770bfc4148c5766b8f4e24614a2953b5e931ed35
f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
SH256 hash:
0adec5d5d0911ebae54ea38d8130c90c8f8fdd7e98b80d3e490f92f119d4e54c
MD5 hash:
f4ad4edc4b044b09f140c64758cd16c6
SHA1 hash:
e442b1aaf3123332124a7481ba4dd49fd764a74e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5e2d6bda-11e1-424b-b139-6547aa3e9144/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16306/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments