MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 20


Intelligence 20 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
SHA3-384 hash: de43f69e223444ac94c618d8f83bd3ea6c436cedaf0c32b5fee370f8b19c1c1af0130595184c2d4b303d0c400c77449e
SHA1 hash: 6320e1973e714027f3d4280c125ff36f51848f81
MD5 hash: 48e1fdaf7662517c4e0f968966d4d7b0
humanhash: bakerloo-moon-oven-emma
File name:f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:133'632 bytes
First seen:2025-10-14 11:04:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:9+XTGb9aByNHS9IvEMb5ssLsL9wvxdKgbY:AG5aaEMbpTTb
Threatray 3'801 similar samples on MalwareBazaar
TLSH T127D318592BE49814E1FFA97302706115C375F8130A6ACF1D1BC2B86D2A7E6E1CE16F93
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe SnakeKeylogger webmail-ki-lojaobrinquedos-com-br

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
Verdict:
Malicious activity
Analysis date:
2025-10-14 11:13:18 UTC
Tags:
snake keylogger evasion stealer
Link:
https://app.any.run/tasks/acadda25-eae9-4b84-b8f3-43d72a03b923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32661/
Detection(s):
Sanesecurity.Malware.28875.BadIN.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-10008460-0
Create hunting rule

Win.Malware.Snake-10019584-0
Create hunting rule

Win.Keylogger.Snake-10036322-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee2e4004e22ce9acd9ebfc
Tags:
dropper smtp msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Stealing user critical data
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 captcha cmd config-extracted evasive hacktool lolbin netsh obfuscated reconnaissance snake_keylogger stealer tracker vbnet
Link:
https://www.filescan.io/uploads/68ee2e6c4f3013c55e4d3fa2/reports/3b4e3928-7976-4951-ae29-f7c406191065/overview
Verdict:
Malicious
Labled as:
MSILHeracles.NotFoundKeylogger.Generic
Link:
https://www.hybrid-analysis.com/sample/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-09T03:35:00Z UTC
Last seen:
2025-10-16T07:42:00Z UTC
Hits:
~100
Detections:
Trojan.Crypt.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan-Spy.Agent.SMTP.C&C Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-PSW.MSIL.Stealer.gen HEUR:Trojan-PSW.MSIL.Convagent.gen HEUR:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe/results?tab=lookup
Gathering data
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
Verdict:
SnakeKeylogger
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout RAT SnakeKeylogger SOS: 0.56 Win 32 Exe x86
Link:
https://app.malva.re/file/48e1fdaf7662517c4e0f968966d4d7b0
Detection:
404keylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
Threat name:
ByteCode-MSIL.Spyware.Snakelogger
Create hunting rule
Status:
Malicious
First seen:
2025-10-09 08:34:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hw2oqpdnxuyj5lwjr3efgw2fbaqdn2kxoshw4ekyf24jh4ce77a._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
1a3b0673ca0264f6306fd9ef59ebf3e6b62d75def5f689eb8bd02f6a222a1e5d
SnakeKeylogger
543b0d455d409155d088d96f0ea8ec6ae11edd0d18d5c39e949d4557b9cdca5d
SnakeKeylogger
67223d2d06877753d37011fa5a9fac6f4155f3e341c56b874c2a6775649f51f0
SnakeKeylogger
9b82825864714597159caad95b64b68cbb976756b1989d4d38e782858e510589
SnakeKeylogger
cb3c37115d314c01bdc7c55e3d685ca91065842745fdf1b74f73a46be6ef27c6
SnakeKeylogger
+ 3'791 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/251014-m6p2tsfy5d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
keylogger snake_keylogger Win.Malware.Generic-10008460-0 404Keylogger
YARA:
MALWARE_Win_SnakeKeylogger SnakeKeyLogger_July_2024 Windows_Trojan_SnakeKeylogger_af3faa65
Link:
https://app.threat.zone/submission/db3de958-ebb6-474e-99c5-43ba78f4baa5
Unpacked files
SH256 hash:
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
MD5 hash:
48e1fdaf7662517c4e0f968966d4d7b0
SHA1 hash:
6320e1973e714027f3d4280c125ff36f51848f81
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/40282427-544e-4485-8268-741db55c7e9b/
Parent samples :
2ed366c595c98fbfe00e692f6d7e06dd237bc2fce08070b610e220083bdb1fe4
f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe
b234827824cb6864880f9bcf498b15a4a15511e541906347af53f0cd5ed60290
adbd8b904ab4bea6ff62fa51f68c11a1d1593fca88c8f556510f6a2764d98490
91be01581d30136fc1d54926fb6fee17beb10959dae4ff07c9808c0244cce25c
8e95907c0b65f2f882de4d6bf69e0b62bf6ea0be2a87e5cc0ffa535fad492264
74bfc0967b1636ed58fbfc95523775dbef1e084910676b1e13a775095fec013e
626a21b142572a7729f9ee6746af1a1b21378e2f2457f8bfce9bdbe7d1fbe136
4255224f9842c7cb47d5d5d488d2f45674ac540f2b4652618dd2153acd3cd151
27af0f60f3069416ee2be26ee18589448518135832e18ae26e867a95d22d8065
324fcd15e9d6f1b0991ad5943a3178031c608d872cb810eeef48f11295490d6f
5b51788ca1b5ba91fd6f120c8264ea6ca4ae45db3dce9079f741d4e90d7dd341
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9eda741e36d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9eda741e36de984f5764c76429ada284101b74abba47b708ac175c49f8227fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32661/

Comments