MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c15d5c57a85cbb55dec53514a8b0ce1e055bc5f49fb9feb2fa307d6a43f36c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c15d5c57a85cbb55dec53514a8b0ce1e055bc5f49fb9feb2fa307d6a43f36c5
SHA3-384 hash: 6a25b087681b18cc50bedb60fb85137c2903edd85dd7c896648910eb45f5b0f82285e2bab913939bb56dfb79eea6fbbc
SHA1 hash: bb303fa8d1be1269b492a1650f7d678d3c078c15
MD5 hash: e61ebf001df3a0ad9c75c590418c76a4
humanhash: wisconsin-november-mockingbird-double
File name:swift_02364.js
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:196'659 bytes
First seen:2025-09-03 09:31:16 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:YSGslAuNlVRMYUgBiGTCrp4QhoMfxcgdSaut2a7isiStBTU0RwBCGr+0:llAuNlVRMYUgBiGGLj6gdSVNGsJtBgGI
Threatray 332 similar samples on MalwareBazaar
TLSH T15214093CC6B1FDC8073E70E0A22D3F16205C0B93F5319B6CA4C51ABA1D65699AF7A64D
Magika javascript
Reporter abuse_ch
Tags:js SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Agent-38.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b80bad3e988eb6ab83a2d6
Tags:
obfuscate xtreme spam sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/68b80c376212e2f7426834f2/reports/0d09b591-e200-4411-947a-6e86563292c9/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/7c15d5c57a85cbb55dec53514a8b0ce1e055bc5f49fb9feb2fa307d6a43f36c5
Verdict:
Malicious
File Type:
js
First seen:
2025-09-02T22:45:00Z UTC
Last seen:
2025-09-02T22:45:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/7c15d5c57a85cbb55dec53514a8b0ce1e055bc5f49fb9feb2fa307d6a43f36c5/results?tab=lookup
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770235
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770235 Sample: swift_02364.js Startdate: 03/09/2025 Architecture: WINDOWS Score: 100 107 reallyfreegeoip.org 2->107 109 mutiarakayamas.com.my 2->109 111 2 other IPs or domains 2->111 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 135 12 other signatures 2->135 10 wscript.exe 1 1 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 7 other processes 2->18 signatures3 133 Tries to detect the country of the analysis system (by using the IP) 107->133 process4 file5 85 C:\Users\user\AppData\...\VirtualProcess.bat, ASCII 10->85 dropped 149 Wscript starts Powershell (via cmd or directly) 10->149 151 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->151 153 Suspicious execution chain found 10->153 155 Creates processes via WMI 10->155 20 cmd.exe 1 10->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 18->35         started        37 11 other processes 18->37 signatures6 process7 signatures8 137 Suspicious powershell command line found 20->137 139 Wscript starts Powershell (via cmd or directly) 20->139 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        43 cmd.exe 23->43         started        46 cmd.exe 1 27->46         started        48 cmd.exe 1 31->48         started        50 cmd.exe 1 33->50         started        52 cmd.exe 35->52         started        54 cmd.exe 37->54         started        56 3 other processes 37->56 process9 signatures10 58 cmd.exe 2 39->58         started        157 Suspicious powershell command line found 43->157 159 Wscript starts Powershell (via cmd or directly) 43->159 61 powershell.exe 43->61         started        64 conhost.exe 43->64         started        66 2 other processes 46->66 68 2 other processes 48->68 70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 76 6 other processes 56->76 process11 file12 141 Suspicious powershell command line found 58->141 143 Wscript starts Powershell (via cmd or directly) 58->143 78 powershell.exe 18 29 58->78         started        83 conhost.exe 58->83         started        87 C:\Users\user\AppData\Roaming\...\1099.bat, ASCII 61->87 dropped 145 Tries to steal Mail credentials (via file / registry access) 61->145 147 Tries to harvest and steal browser information (history, passwords, etc) 61->147 89 C:\Users\user\AppData\Roaming\...\9229.bat, ASCII 66->89 dropped 91 C:\Users\user\AppData\Roaming\...\b456.bat, ASCII 68->91 dropped 93 C:\Users\user\AppData\Roaming\...\b88a.bat, ASCII 70->93 dropped 95 C:\Users\user\AppData\Roaming\...\a6ee.bat, ASCII 72->95 dropped 97 C:\Users\user\AppData\Roaming\...\91af.bat, ASCII 74->97 dropped 99 C:\Users\user\AppData\Roaming\...\6357.bat, ASCII 76->99 dropped 101 C:\Users\user\AppData\Roaming\...\5f25.bat, ASCII 76->101 dropped 103 C:\Users\user\AppData\Roaming\...\0e02.bat, ASCII 76->103 dropped signatures13 process14 dnsIp15 113 mutiarakayamas.com.my 103.8.27.198, 49696, 49699, 49702 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY Malaysia 78->113 115 checkip.dyndns.com 193.122.6.168, 49691, 49697, 49700 ORACLE-BMC-31898US United States 78->115 117 reallyfreegeoip.org 104.21.48.1, 443, 49692, 49698 CLOUDFLARENETUS United States 78->117 105 C:\Users\user\AppData\Roaming\...\962b.bat, ASCII 78->105 dropped 119 Drops script or batch files to the startup folder 78->119 121 Tries to steal Mail credentials (via file / registry access) 78->121 123 Found suspicious powershell code related to unpacking or dynamic code loading 78->123 125 Loading BitLocker PowerShell Module 78->125 file16 signatures17
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/e61ebf001df3a0ad9c75c590418c76a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c15d5c57a85cbb55dec53514a8b0ce1e055bc5f49fb9feb2fa307d6a43f36c5/
Threat name:
Script-JS.Dropper.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-09-03 04:34:47 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqk5lrl2qxf3kxpmkniuvcym4hqflpc7jh5z72zpumd5njb7g3cq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
03b59ea7bb1e2da157ae489381b5b047536b6737bf87feeba65b499ee484b4db
SnakeKeylogger
50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
SnakeKeylogger
6d9ffdcf60c5222b9ee0a98b2f67e738a389681bd881ccbb143bb7b35befc499
SnakeKeylogger
9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
SnakeKeylogger
c74c8dd96aa4e7310662158f9910372083379efa13ebf24e8c08bfd295b714f7
SnakeKeylogger
dd571605c43f67c667cf409ddffd8fadbe022d45239f7aa61e584f0c2cd274f4
SnakeKeylogger
e19d4607d84da3e5f8203d2a46c4459edaa7d83ccde55401a0e0ddf860312bb1
SnakeKeylogger
e67edd1c28b2e06c3be00d3116a1ed0dee0835d6de2efa6f85b9aa8c8489b230
SnakeKeylogger
ec145d51cb891b1e9a1e31088c0803371b5804baee1e766016b0a6f6e471f385
SnakeKeylogger
error
SnakeKeylogger
ff6ee4d16712bd542ca2860a4bfe3b9ca7dd88f70d54215e069ffc3ec2cb7ea6
SnakeKeylogger
+ 322 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection execution keylogger stealer
Link:
https://tria.ge/reports/250903-lkq7bsysd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments