MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc6abd0f403f8788696382e1f319987e1f978ea516418bc54e8335fabff2b1e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SnakeKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 18 File information Comments

SHA256 hash: fc6abd0f403f8788696382e1f319987e1f978ea516418bc54e8335fabff2b1e0
SHA3-384 hash: 9c96ee1c87fa7f515491cf1c7c24a7c4909124f50ac022bce6795037721dd0962b7d6b9d3dc52a42ffdad7c55dc2593c
SHA1 hash: eae79a4390f2afc7090a6c5009e9a8aec563d9c9
MD5 hash: bee2a4a2f9cafbc57832c5669f4af271
humanhash: glucose-ink-robert-california
File name:Zeskanowan_dokument_30.09.2025_1084570205013.docx.exe
Download: download sample
Signature SnakeKeylogger
File size:620'544 bytes
First seen:2025-09-30 11:54:30 UTC
Last seen:2025-09-30 12:00:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 12288:2LItIRc0yTOucz6bsZWThKgYLnquR/IQDMpWRUBOhuydOt5mjUe:2N3ySBPWThKg+b1DMpWhuyYmV
Threatray 3'802 similar samples on MalwareBazaar
TLSH T1C4D4024DBB2AE652CF1D1BFBA803500941B9915BE172F2AB19D81DC35E3AF18C54BE13
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Anonymous
Tags:exe SnakeKeylogger

Intelligence


File Origin
# of uploads :
4
# of downloads :
50
Origin country :
AD AD
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Zeskanowan_dokument_30.09.2025_1084570205013.docx.exe
Verdict:
Malicious activity
Analysis date:
2025-09-30 07:48:35 UTC
Tags:
evasion snake keylogger stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
underscore virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-30T04:28:00Z UTC
Last seen:
2025-10-02T06:50:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb VHO:Backdoor.Win32.Androm.gen Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.SnakeLogger.sb Trojan.MSIL.Taskun.sb Trojan.Crypt.TCP.ServerRequest HEUR:Trojan-Spy.MSIL.SnakeLogger.gen Trojan-PSW.Win32.Stealer.sb
Gathering data
Threat name:
Win32.Spyware.Snakekeylogger
Status:
Malicious
First seen:
2025-09-30 08:47:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Result
Malware family:
snakekeylogger
Score:
  10/10
Tags:
family:snakekeylogger collection discovery keylogger spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Suspicious
Tags:
404Keylogger
YARA:
n/a
Unpacked files
SH256 hash:
fc6abd0f403f8788696382e1f319987e1f978ea516418bc54e8335fabff2b1e0
MD5 hash:
bee2a4a2f9cafbc57832c5669f4af271
SHA1 hash:
eae79a4390f2afc7090a6c5009e9a8aec563d9c9
SH256 hash:
790220b1c4e6f9b99d1d4e6eb0568b25543d85aed0317298139d2dac606c2af2
MD5 hash:
6fe5b2084b6b6ecbcfaed1f28eda3577
SHA1 hash:
29085361c7028e661413390cb3bbf00916046480
Detections:
win_404keylogger_g1 snake_keylogger MAL_Envrial_Jan18_1 INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients INDICATOR_SUSPICIOUS_EXE_DotNetProcHook MALWARE_Win_SnakeKeylogger
SH256 hash:
bb32b3e2e0c178e7696cf55ddeada204501df6d0211bbb6a4628e2d0a68e27e7
MD5 hash:
5bce1c58cad18c50ba7e8c841c2bd5a3
SHA1 hash:
6b3adee7a1503fbcf5ab024eaee8d4ffb2ef49cb
SH256 hash:
1eb28f2fd9fa1bbd62dff82039fa4e0cd97bb0b447fda93699a14b9b882eeb8e
MD5 hash:
782fb39d03f9b5f7b865dbcb95638158
SHA1 hash:
f77fdc5f1330b06c0f8b738ca4eab4691eda4d9d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24 SUSP_OBF_NET_Reactor_Indicators_Jan24
Malware family:
SnakeKeylogger
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:crime_snake_keylogger
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_SnakeKeylogger
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Author:Elastic Security

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments