MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
SHA3-384 hash: d259cfdf1624a8be34d8d2daae62a1a5c7990ac6477cf33b4f2c7f793ab324745fb54a5870ec663bc7c308f1665d4f31
SHA1 hash: dfd45f26daa3cf8e1a6a2b742cae886359e6abb8
MD5 hash: ccd4a73427bf367b62b7a2a253d04142
humanhash: skylark-rugby-mississippi-six
File name:İhale Bilgisi sip. Cari kod 120-57-1681 Gama Muhendislik a.s pdf .exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:814'080 bytes
First seen:2025-06-02 13:31:11 UTC
Last seen:2025-06-03 06:17:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:ZNUVce3WwPPmP7cP9Kl33cOfcRRM4jMATCpWxbajFckuP4Vci:LEmw2cPO33ckcR64jMeIabajFckus
Threatray 1'938 similar samples on MalwareBazaar
TLSH T1DD05D0143636AB03D6B64BF80A15D1741BB84EDEA41EE21B8FE6BCDF74A5F150880E53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
541
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
haleBilgisisip.Carikod120-57-1681GamaMuhendislika.spdf.exe
Verdict:
Malicious activity
Analysis date:
2025-06-02 08:46:44 UTC
Tags:
snake keylogger netreactor evasion telegram stealer
Link:
https://app.any.run/tasks/9b2891e8-86a9-49dc-832c-56d93fc9ee8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6875/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.27618.27507.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683da9ca668438e362ea3e27
Tags:
keylog spawn spam msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/683da7b8e336a33801e1b1ca/reports/c5b92f99-2f03-44ff-8973-086f4d17af24/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab063f07-ace0-4020-a06c-b9dc38c19a13
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704035
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1704035 Sample: #U0130hale Bilgisi sip. Car... Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 api.telegram.org 2->51 53 2 other IPs or domains 2->53 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 71 13 other signatures 2->71 9 #U0130hale Bilgisi sip. Cari kod 120-57-1681 Gama Muhendislik a.s  pdf .exe 7 2->9         started        13 tinAxBKsYV.exe 2->13         started        signatures3 67 Tries to detect the country of the analysis system (by using the IP) 49->67 69 Uses the Telegram API (likely for C&C communication) 51->69 process4 file5 41 C:\Users\user\AppData\...\tinAxBKsYV.exe, PE32 9->41 dropped 43 C:\Users\...\tinAxBKsYV.exe:Zone.Identifier, ASCII 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmp376B.tmp, XML 9->45 dropped 47 #U0130hale Bilgisi...k a.s  pdf .exe.log, ASCII 9->47 dropped 73 Adds a directory exclusion to Windows Defender 9->73 75 Injects a PE file into a foreign processes 9->75 15 powershell.exe 23 9->15         started        18 powershell.exe 23 9->18         started        20 #U0130hale Bilgisi sip. Cari kod 120-57-1681 Gama Muhendislik a.s  pdf .exe 15 2 9->20         started        23 schtasks.exe 1 9->23         started        77 Multi AV Scanner detection for dropped file 13->77 79 Uses threadpools to delay analysis 13->79 25 tinAxBKsYV.exe 13->25         started        27 schtasks.exe 13->27         started        signatures6 process7 dnsIp8 81 Loading BitLocker PowerShell Module 15->81 29 conhost.exe 15->29         started        31 WmiPrvSE.exe 15->31         started        33 conhost.exe 18->33         started        55 checkip.dyndns.com 132.226.247.73, 49716, 49719, 49721 UTMEMUS United States 20->55 57 api.telegram.org 149.154.167.220, 443, 49746, 49754 TELEGRAMRU United Kingdom 20->57 59 reallyfreegeoip.org 104.21.96.1, 443, 49718, 49720 CLOUDFLARENETUS United States 20->59 35 conhost.exe 23->35         started        83 Tries to steal Mail credentials (via file / registry access) 25->83 85 Tries to harvest and steal browser information (history, passwords, etc) 25->85 37 conhost.exe 27->37         started        signatures9 process10 process11 39 conhost.exe 33->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 08:34:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y3fie3qgghieu6c5l3vyqpdz7qbwu7hkctwywn7c6ujie3n4paq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
3961987dda53c630bbff8bca5d0ed8b6dae39c77a448aafda0a67c2db173e8c8
SnakeKeylogger
3c831d32919d82c5b30e3bbe158dff4d2090803e5553248eabdedd95dd085736
SnakeKeylogger
840ecbe67b468d355c7a3be951f5875a70b5f6295b5cd599ee7cc4ef9015a794
SnakeKeylogger
e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11
SnakeKeylogger
f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0
SnakeKeylogger
+ 1'928 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250602-qshmda1pt9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e9fb1f78-0c7b-4730-a5d7-297f352f7b73
Unpacked files
SH256 hash:
f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
MD5 hash:
ccd4a73427bf367b62b7a2a253d04142
SHA1 hash:
dfd45f26daa3cf8e1a6a2b742cae886359e6abb8
Link:
https://www.unpac.me/results/698d4afe-129a-4fac-b26f-4cd07733faae/
SH256 hash:
a01dd993290c7b91b20ca6a7e446bf4edabc2c85c832b4b824f396788f7f5a02
MD5 hash:
17e4960eabeb73f49f12ac8736b408e4
SHA1 hash:
2f56f8828137dc6e47d77d7e52541a748f092ba6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/698d4afe-129a-4fac-b26f-4cd07733faae/
Parent samples :
f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
e3f94e84769fc8d25b081f44226b89c332f7ffe21564939aa0be868a4ca2d7a5
d73ad9264e737d95a1cdeed413d7015a18e2f1f679ebf56a2973c97ead7b1447
83885d6469d809b0709f82c75605005fed02c3cbdde2a8d8e74589608d45b40b
24d845c266dc1d2fdd1af6df8cc3c206d2b570ac6df249147664310b13a28371
SH256 hash:
7b5675878bd6e238f3e456d44024018f8560e7d01bb5ff5652e822fd787e9d32
MD5 hash:
770ebab1abebb9d42c5695ea661dc26e
SHA1 hash:
30e25ef8b1631ee72554732cd80aa29869185974
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/698d4afe-129a-4fac-b26f-4cd07733faae/
Parent samples :
f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1
c5cda31ca3369da6d1aa062f41c8cca45a7ec066b62a71750745d5789cc5c198
d168b4b242f22172a5bdf03c8e368d1fdd8e8a9c260d60667e4fea6965bca9d8
c66b2e798dc9db4ee55ea482e9dc0807f63251ad079227df65e21b7a559cbb7a
899eb8d7505519390ec887042d84be0bc16d9ea6e63c84d542a2baaa418a4b11
527faa491b052e081f3f21cc8a1499a895e69184b46fc039b382150f4ee7063e
SH256 hash:
bef2bb2a2cac6d24aab6b29ab8af18cbb1c54e4b9a1ff5a74cce391e6534356c
MD5 hash:
3b0799df751360c9d8a03d56a9584820
SHA1 hash:
88ae75880a3b02a8190d317b3b38a8b1a43e2c17
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/698d4afe-129a-4fac-b26f-4cd07733faae/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f63654137031/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f636541370318e8253c2eaf75c41e3cfe01b53e750a76c59bf17a894136de3c1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6875/

Comments