MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
SHA3-384 hash: 537b9412154f9e32e13a3c9f4588ec775ef9b3b185735133711244e4f103f5abac0b171b0b63a0dfc7e059304e833fd7
SHA1 hash: 1cdcc79b9ad97ef67fc4b67f293d30644e609a90
MD5 hash: ce0b5043f64127032cb1a72130b020dd
humanhash: six-may-cola-may
File name:ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:643'072 bytes
First seen:2025-06-10 09:40:01 UTC
Last seen:2025-06-20 10:13:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'855 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 12288:lqplkdsz91qG890OJUAQnm+uxx4YIUHo/:IkdMbx8mxlgyYI5
Threatray 3'651 similar samples on MalwareBazaar
TLSH T108D401983782DC0BC61523740A71F2B857BD5EEAE810C642BFDE6D9FB5B6F112D04292
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon e89e8e7133b2b2f0 (13 x SnakeKeylogger, 9 x Formbook, 3 x AgentTesla)
Reporter adrian__luca
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
387
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
Verdict:
Malicious activity
Analysis date:
2025-06-10 14:05:06 UTC
Tags:
evasion snake keylogger
Link:
https://app.any.run/tasks/f0941731-a245-4457-ac32-0d15dd490644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8565/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3342.32140.10835.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6847fd928bd5d68a12e76363
Tags:
virus sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5da87c01-ff61-43f8-9001-feb11011b37a
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711410
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect the country of the analysis system (by using the IP)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-05-27 03:08:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
27 of 36 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77uslydckpe6goks52heexoilnoufce55dvwus573rm3qxf34yca._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
404keylogger
Create hunting rule
Similar samples:
035fd9019348ef838afdb9663b147828c3523347699551e03ac73f8da3d3e8b9
SnakeKeylogger
16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
SnakeKeylogger
5331735ae84af50e1ccf339c9fd96475ab9b1e11a975abeb64206a265fa89245
SnakeKeylogger
5a2a58a5c9a50cda175b03b68636c5f68d7dcc73eb19311ceb2940dddc97654e
SnakeKeylogger
b6bf9b1246423433ffd376e056b841b3df4302ccf8c9ceb9ffbfcf2d49ded6c8
SnakeKeylogger
c44d3e15034c029b6a3fb3571c9bfca998863ba209c5c354edce1bf0316a9e42
SnakeKeylogger
+ 3'641 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery keylogger stealer
Link:
https://tria.ge/reports/250610-lnb7kssygz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/46c99b70-fd10-4e37-8acc-d33d083f28d4
Unpacked files
SH256 hash:
ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
MD5 hash:
ce0b5043f64127032cb1a72130b020dd
SHA1 hash:
1cdcc79b9ad97ef67fc4b67f293d30644e609a90
Link:
https://www.unpac.me/results/2b40cbd4-ac5e-4f28-b41b-564f6aa41255/
SH256 hash:
40821f2c5247a234030a44871d4d62035044e2d486432b81e06880213c6fa912
MD5 hash:
c98557f7f6d853d88f1704eeacf3f39d
SHA1 hash:
01fb8c8b57fe8e19022f3fe0ac882c4e9cd9c69c
Link:
https://www.unpac.me/results/2b40cbd4-ac5e-4f28-b41b-564f6aa41255/
SH256 hash:
1e11a1fe02ba90b919f6ef39dc475fe2f2b9bac0de535b926ca12870d7cfa17c
MD5 hash:
ed942e59d42532ee7d6f4f77d4731c27
SHA1 hash:
bc4ccd093dcd5ee93aa70ba9d9cd781f834cfef0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2b40cbd4-ac5e-4f28-b41b-564f6aa41255/
SH256 hash:
905a0224bb0cd1798dd6596f1c6d21f3f7047acf694927be8d33b2fecb461959
MD5 hash:
df138ec7438047a675455a66dfd39c57
SHA1 hash:
eaba3e8ab0aa02a0657a3adf96d22e816e112f52
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/2b40cbd4-ac5e-4f28-b41b-564f6aa41255/
Parent samples :
ffe925e06253c9e33952ee8e425dc85b5d42889de8eb6a4bbfdc59b85cbbe604
40e28ec4690a7bae4422ccae4502be2ae8de7538bba656cd6e5f4614ea621db9
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8565/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments