MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0
SHA3-384 hash: febb150f50b93520b8cd6e093d42bea3ded98b80ef922e78f0675c08ede4a0c3aa2f7ef93347e088bc5c33f861be94ed
SHA1 hash: 0e9f855e86b05e3f00003bb08aa2a3adb018a1b8
MD5 hash: e42abdf045914ed41b0bbc7c17de68a9
humanhash: red-tango-arizona-alpha
File name:output_1762247586.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:160'376 bytes
First seen:2025-11-04 17:18:05 UTC
Last seen:2025-11-05 15:02:15 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:9qs5BWLAqyXT0lOR9aPF6iua7xmqSB//PDTRx5/LQ+9e855Xh3bBS+:9qs5BWLAqyjci0Z7YrB/H/1LQseQb
Threatray 61 similar samples on MalwareBazaar
TLSH T1F2F3063D9564ADC307F975B35E692A0F2008CAD3AD623B2FE954CB9A3854584CBF311B
Magika batch
Reporter lowmal3
Tags:bat SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0.txt
Verdict:
No threats detected
Analysis date:
2025-11-04 17:19:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c3f0eea-0547-4f6d-af89-de6ed565e2e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35332/
Detection(s):
SecuriteInfo.com.BAT.Obfus-8.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a35769942f1282ecc02be
Tags:
obfuscate xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Launching a process
DNS request
Connection attempt
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Connecting to a non-recommended domain
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/690a3573393eed3f38e385c9/reports/68b5ad45-53bb-4cdf-a56a-da9dfc11b2dc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-04T09:48:00Z UTC
Last seen:
2025-11-05T15:45:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.PowerShell.Tesre.sb Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0/results?tab=lookup
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1807948
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1807948 Sample: output_1762247586.bat Startdate: 04/11/2025 Architecture: WINDOWS Score: 100 94 reallyfreegeoip.org 2->94 96 sportploiesti.ro 2->96 98 3 other IPs or domains 2->98 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Yara detected Snake Keylogger 2->112 116 11 other signatures 2->116 9 cmd.exe 1 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 1 2->14         started        16 8 other processes 2->16 signatures3 114 Tries to detect the country of the analysis system (by using the IP) 94->114 process4 signatures5 120 Suspicious powershell command line found 9->120 122 Bypasses PowerShell execution policy 9->122 18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        22 cmd.exe 12->22         started        24 conhost.exe 12->24         started        26 cmd.exe 14->26         started        28 conhost.exe 14->28         started        30 cmd.exe 1 16->30         started        32 cmd.exe 1 16->32         started        34 14 other processes 16->34 process6 process7 36 cmd.exe 3 18->36         started        39 cmd.exe 22->39         started        41 cmd.exe 26->41         started        43 cmd.exe 1 30->43         started        45 cmd.exe 1 32->45         started        47 cmd.exe 1 34->47         started        49 cmd.exe 1 34->49         started        51 cmd.exe 34->51         started        53 3 other processes 34->53 signatures8 118 Suspicious powershell command line found 36->118 55 2 other processes 36->55 60 2 other processes 39->60 62 2 other processes 41->62 64 2 other processes 43->64 66 2 other processes 45->66 68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 74 6 other processes 53->74 process9 dnsIp10 100 sportploiesti.ro 93.119.153.1, 49706, 49722, 49737 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 55->100 102 checkip.dyndns.com 132.226.247.73, 49691, 49694, 49696 UTMEMUS United States 55->102 104 reallyfreegeoip.org 172.67.177.134, 443, 49693, 49695 CLOUDFLARENETUS United States 55->104 76 C:\Users\user\AppData\Roaming\...\1507.bat, ASCII 55->76 dropped 124 Drops script or batch files to the startup folder 55->124 126 Found suspicious powershell code related to unpacking or dynamic code loading 55->126 128 Loading BitLocker PowerShell Module 55->128 78 C:\Users\user\AppData\Roaming\...\e1d6.bat, ASCII 60->78 dropped 130 Tries to harvest and steal browser information (history, passwords, etc) 60->130 106 158.101.44.242, 49767, 49770, 49772 ORACLE-BMC-31898US United States 62->106 80 C:\Users\user\AppData\Roaming\...\d862.bat, ASCII 62->80 dropped 82 C:\Users\user\AppData\Roaming\...\2038.bat, ASCII 64->82 dropped 84 C:\Users\user\AppData\Roaming\...\58c9.bat, ASCII 66->84 dropped 86 C:\Users\user\AppData\Roaming\...\04ab.bat, ASCII 68->86 dropped 88 C:\Users\user\AppData\Roaming\...\2ac9.bat, ASCII 70->88 dropped 90 C:\Users\user\AppData\Roaming\...\c3d0.bat, ASCII 72->90 dropped 92 2 other malicious files 74->92 dropped 132 Tries to steal Mail credentials (via file / registry access) 74->132 file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0/
Verdict:
Malicious
Threat:
Trojan.MSIL.SnakeLogger
Link:
https://tip.neiki.dev/file/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pinmavtnou7wthox775vxfrsnajowm6btzcuxe72sfvcd7f4utaa._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
1cbbb5dfc0c192f12c73ffef24f957c47bf36fb0c7c3b47076bac0872fac33a1
SnakeKeylogger
4a980e38257b9dbf0e1ff47c3faef90d62e2fcdb663fa1421735f7ace6394a56
SnakeKeylogger
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
SnakeKeylogger
6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
SnakeKeylogger
84bc64c5f0b3e217896ebecb8b6d434d0c8fb4c33aa87125b3b8e2062aa283d5
SnakeKeylogger
b51dece1c0b3a6422d16176ce2397cfcdde099be7700cc45b8c79c30d3727489
SnakeKeylogger
b7e93b89a32f2b7ed23d4e053791bd79ca4a3ad0b864797eb575ced88da59f8e
SnakeKeylogger
bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
SnakeKeylogger
d436b01ea1ce184f3e4e3e2ff3cfd4841f21e5008c6c827a2342c69711eae8c5
SnakeKeylogger
error
SnakeKeylogger
ffa74f7c6cc8e12559de04e5349533ceff8860cda9851a9af748b797cb23f6d1
SnakeKeylogger
+ 51 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection execution keylogger stealer
Link:
https://tria.ge/reports/251104-vvmrbsdq9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8339120164:AAESuTDCePEPy5CYFLQQ1I3TaczfB2MoJhU/sendMessage?chat_id=744079942
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a1ac0566d75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Batch (bat) bat 7a1ac0566d753f699dd7fffb5b96326812eb33c19e454b93fa916a21fcbca4c0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35332/

Comments