MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db
SHA3-384 hash: 4ae6187b2c18212ae7c8537bc6978306e4888459a07630ab547665e3e45bd636b07678699e6e48b34ff6e53bd14b9f8b
SHA1 hash: 43cf90715186f227ec1ec000b685d6c482603cdc
MD5 hash: cc3253efe39d2af6bb3e7204da12690b
humanhash: oranges-triple-finch-charlie
File name:RFQ_Company_Documents_September_pdf.js
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:195'905 bytes
First seen:2025-09-01 09:34:04 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:peq4J+TiWmvqOhuSNzoLAZPHB4WHxfpGpjp7xPlAuNlVRMYUgBihf:0qtTiWmyOIdLAZmPlAuNlVRMYUgBi9
Threatray 312 similar samples on MalwareBazaar
TLSH T1ED14C63DC6B0ECD8437E30D056693B1221AC1BA3F6B61F5CB4C249AA5E1554ADB7B28C
Magika javascript
Reporter abuse_ch
Tags:js SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Agent-38.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b568deeb163e0ec183f915
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm masquerade obfuscated
Link:
https://www.filescan.io/uploads/68b5696d8d7e238761856c19/reports/37a79faa-6b52-44fd-8de5-290127d23f6f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db
Verdict:
Malicious
File Type:
js
First seen:
2025-08-31T22:08:00Z UTC
Last seen:
2025-08-31T22:08:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db/results?tab=lookup
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768843
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768843 Sample: RFQ_Company_Documents_Septe... Startdate: 01/09/2025 Architecture: WINDOWS Score: 100 111 reallyfreegeoip.org 2->111 113 checkip.dyndns.org 2->113 115 checkip.dyndns.com 2->115 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Multi AV Scanner detection for submitted file 2->133 137 12 other signatures 2->137 10 wscript.exe 1 1 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 7 other processes 2->18 signatures3 135 Tries to detect the country of the analysis system (by using the IP) 111->135 process4 dnsIp5 89 C:\Users\user\AppData\...\OrbitalProtocol.bat, ASCII 10->89 dropped 143 Wscript starts Powershell (via cmd or directly) 10->143 145 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->145 147 Suspicious execution chain found 10->147 149 Creates processes via WMI 10->149 21 cmd.exe 1 10->21         started        24 cmd.exe 14->24         started        26 conhost.exe 14->26         started        28 cmd.exe 1 16->28         started        30 conhost.exe 16->30         started        117 127.0.0.1 unknown unknown 18->117 32 cmd.exe 1 18->32         started        34 cmd.exe 1 18->34         started        36 cmd.exe 18->36         started        38 9 other processes 18->38 file6 signatures7 process8 signatures9 139 Suspicious powershell command line found 21->139 141 Wscript starts Powershell (via cmd or directly) 21->141 40 cmd.exe 1 21->40         started        42 conhost.exe 21->42         started        44 cmd.exe 24->44         started        47 cmd.exe 28->47         started        49 cmd.exe 1 32->49         started        51 cmd.exe 1 34->51         started        53 cmd.exe 36->53         started        55 cmd.exe 38->55         started        57 2 other processes 38->57 process10 signatures11 59 cmd.exe 2 40->59         started        159 Suspicious powershell command line found 44->159 161 Wscript starts Powershell (via cmd or directly) 44->161 62 powershell.exe 44->62         started        65 conhost.exe 44->65         started        67 2 other processes 47->67 70 2 other processes 49->70 72 2 other processes 51->72 74 2 other processes 53->74 76 2 other processes 55->76 78 4 other processes 57->78 process12 dnsIp13 151 Suspicious powershell command line found 59->151 153 Wscript starts Powershell (via cmd or directly) 59->153 80 powershell.exe 18 29 59->80         started        85 conhost.exe 59->85         started        91 C:\Users\user\AppData\Roaming\...\c112.bat, ASCII 62->91 dropped 155 Tries to steal Mail credentials (via file / registry access) 62->155 157 Tries to harvest and steal browser information (history, passwords, etc) 62->157 119 158.101.44.242, 49718, 49720, 49723 ORACLE-BMC-31898US United States 67->119 93 C:\Users\user\AppData\Roaming\...\f886.bat, ASCII 67->93 dropped 95 C:\Users\user\AppData\Roaming\...\b99f.bat, ASCII 70->95 dropped 97 C:\Users\user\AppData\Roaming\...\fd1b.bat, ASCII 72->97 dropped 99 C:\Users\user\AppData\Roaming\...\7074.bat, ASCII 74->99 dropped 101 C:\Users\user\AppData\Roaming\...\bc25.bat, ASCII 76->101 dropped 103 C:\Users\user\AppData\Roaming\...\bd56.bat, ASCII 78->103 dropped 105 C:\Users\user\AppData\Roaming\...\a29d.bat, ASCII 78->105 dropped file14 signatures15 process16 dnsIp17 107 checkip.dyndns.com 193.122.6.168, 49699, 49713, 49715 ORACLE-BMC-31898US United States 80->107 109 reallyfreegeoip.org 104.21.48.1, 443, 49700, 49714 CLOUDFLARENETUS United States 80->109 87 C:\Users\user\AppData\Roaming\...\3f4b.bat, ASCII 80->87 dropped 121 Drops script or batch files to the startup folder 80->121 123 Tries to steal Mail credentials (via file / registry access) 80->123 125 Found suspicious powershell code related to unpacking or dynamic code loading 80->125 127 Loading BitLocker PowerShell Module 80->127 file18 signatures19
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/cc3253efe39d2af6bb3e7204da12690b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-01 09:35:54 UTC
File Type:
Text (HTML)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ao2z5j53dyw2cv5ojcjydnnqi5jwwzzxx6d7525glnez5zeewtnq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
0bf2ffc9062fe7e1ff53dcc72b991b849ec2fbf8584d5059d79652eae54c8a6e
SnakeKeylogger
50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
SnakeKeylogger
6d9ffdcf60c5222b9ee0a98b2f67e738a389681bd881ccbb143bb7b35befc499
SnakeKeylogger
9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
SnakeKeylogger
dd571605c43f67c667cf409ddffd8fadbe022d45239f7aa61e584f0c2cd274f4
SnakeKeylogger
e19d4607d84da3e5f8203d2a46c4459edaa7d83ccde55401a0e0ddf860312bb1
SnakeKeylogger
e67edd1c28b2e06c3be00d3116a1ed0dee0835d6de2efa6f85b9aa8c8489b230
SnakeKeylogger
ec145d51cb891b1e9a1e31088c0803371b5804baee1e766016b0a6f6e471f385
SnakeKeylogger
error
SnakeKeylogger
ff6ee4d16712bd542ca2860a4bfe3b9ca7dd88f70d54215e069ffc3ec2cb7ea6
SnakeKeylogger
+ 302 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection execution keylogger stealer
Link:
https://tria.ge/reports/250901-llvk5stmy6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8276519013:AAEwAXep-GSs1g7rvrhtPdVTDu6x1TeBu9c/sendMessage?chat_id=5485275217
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments