MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
SHA3-384 hash: 765d965a7f88f5f38df4943af1188b103c77689f69291f020acf3930dcb62f1776a04eb438ea7f53c3752625c17cb1b3
SHA1 hash: f7e8d9fd4ecaadd7b57dd4522a9386d8202fba81
MD5 hash: 0aea0df1d69ff5ae6a3a519188a0db54
humanhash: fourteen-quiet-romeo-artist
File name:f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:598'528 bytes
First seen:2025-07-07 15:04:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:2b6/GctY6Bn2aVayUzaEny6/OmGWb5tSHFpvhy+x2kDlojfj/7iTqGJvHrcbhHSJ:2anb8ykaEnhOrEbSHFykyjWqNOIa
Threatray 3'633 similar samples on MalwareBazaar
TLSH T19BD4021E2CA3D4C3D16A3FB48663C2B889A43FD65C73C6D36BE73C1F39259116512662
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 1a71c0aaaaaa0203 (10 x Formbook, 2 x RemcosRAT, 2 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13192/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686be247900df8e7f8685145
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Forced shutdown of a browser
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2/
Threat name:
ByteCode-MSIL.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 13:44:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ymyp6a7vw35rbd5mqhqu3wor7c2jtxvt5kozqld7umnkjt7wkza._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
068e05c944faf172cf83584b995dd98b6ad77a42df01e0bda06cec52eebc3074
SnakeKeylogger
5f31ae849162679f3f77a484a2f1915b69e805d3e5c5b3e57b5941885e21d62e
SnakeKeylogger
7b2118ed1133b43f2521509f4eac9e89b89cdfc389208099cc6e601aaf95c836
SnakeKeylogger
b1bd96341b2c06cf1ea7a1a9026222f1a85d8605798be6f7809100b3e0bd11dc
SnakeKeylogger
b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
SnakeKeylogger
edf0d05f27b9a5ed1f4b216d2ea71997b02a2b05be07ec0d54e4f9e99897c797
SnakeKeylogger
error
SnakeKeylogger
+ 3'623 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250707-sfwpkswwes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7989208005:AAF_Q0GA79z6GYuSCl4sG25i2uv4Su1T7eM/sendMessage?chat_id=7300263540
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0154ae3b-6085-4b81-8334-7c05394b5633
Unpacked files
SH256 hash:
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
MD5 hash:
0aea0df1d69ff5ae6a3a519188a0db54
SHA1 hash:
f7e8d9fd4ecaadd7b57dd4522a9386d8202fba81
Link:
https://www.unpac.me/results/16ba73c9-5fb1-4512-96d0-19752f6ead0f/
SH256 hash:
741b73d728c4b1366090cfa7bf33edfefecdae3c703c4cfc8a7eef7ac99be4c8
MD5 hash:
aff04a6ae0eb4b5784b7fd613b73d328
SHA1 hash:
05fd5a4a973d3e44f5d11195c37758eb23a84337
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/16ba73c9-5fb1-4512-96d0-19752f6ead0f/
Parent samples :
e3b280fc7bd9dc77cf90901553a8d9e103d8ce3eb4fb4f107599a6c9630ff825
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8
0f22c8a761d26fc6db2f20b2c3070269bf8248eebc03743250da0805ee9a8511
SH256 hash:
d866e5d1b4e2e7c55e7b867af30b468900bfca5dca68cdd3af723255a9739911
MD5 hash:
4a04bfa181535a33678bcd6b08159e3b
SHA1 hash:
c6ce9aca9dc9592f6ffc9882b2ffe34be81219d5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/16ba73c9-5fb1-4512-96d0-19752f6ead0f/
SH256 hash:
a1197118cd085e336de212d6a51e513817076a3beb2dc2728733fae5253e5ae9
MD5 hash:
d54b432df9d4f8f2ab4057e9edcfe2ac
SHA1 hash:
d9dad22013d498a9b1ce8c898eeb5d2aaa3f49fe
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/16ba73c9-5fb1-4512-96d0-19752f6ead0f/
Parent samples :
90962ba0ec6ebcb4c4100da132db67bab29c86eed1f3b3bd7f20d71ebae630f6
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
0ca24a250450f9e2639c76366488b654e7adb23fda7fb4b80f51d7251ba70442
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13192/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments