MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
SHA3-384 hash: 7cc69b49e4c80cc6d1f115fde60b5f1f910999d0d717474a0026732c67be2efe812f9571a07187d7c61965f9d63a5da4
SHA1 hash: 0f5b6a4a92d09c84dee81b5adfb2fd06d0164d87
MD5 hash: 8341669f2343d4278582609720bfa160
humanhash: mountain-golf-violet-california
File name:New Order.vbs
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:206'155 bytes
First seen:2025-03-27 10:31:13 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:hLURz9FVOOUU/wW4MoQB3zAyfHf91BIHLK/AFpVi8qgZ3Dxy4XXQNdDadKzM8KiH:hLyEyfHf7BIHL68qY3NHTkh
Threatray 2'036 similar samples on MalwareBazaar
TLSH T1E5147CFEC3E16DA00772B0B7572D3D0125ACCB92EB656E3EE1D8087E29D1A11B4F5894
Magika vba
Reporter lowmal3
Tags:SnakeKeylogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e528facb6d38a89f3e9d2f
Tags:
obfuscate autorun xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e528f4f274bf2d8e2544f8/reports/a8ea133e-890e-4841-b9fd-112cfb5e682d/overview
Verdict:
Malicious
Labled as:
GT:VB.Zbot.9
Link:
https://www.hybrid-analysis.com/sample/a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1650011
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650011 Sample: New Order.vbs Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 71 reallyfreegeoip.org 2->71 73 checkip.dyndns.org 2->73 75 checkip.dyndns.com 2->75 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 91 16 other signatures 2->91 9 wscript.exe 2 2->9         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        17 8 other processes 2->17 signatures3 89 Tries to detect the country of the analysis system (by using the IP) 71->89 process4 dnsIp5 65 C:\Users\user\AppData\...\temp_script.bat, ASCII 9->65 dropped 107 VBScript performs obfuscated calls to suspicious functions 9->107 109 Wscript starts Powershell (via cmd or directly) 9->109 111 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->111 113 Suspicious execution chain found 9->113 20 cmd.exe 1 9->20         started        23 cmd.exe 13->23         started        25 conhost.exe 13->25         started        27 cmd.exe 1 15->27         started        29 conhost.exe 15->29         started        69 127.0.0.1 unknown unknown 17->69 31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        35 cmd.exe 17->35         started        37 11 other processes 17->37 file6 signatures7 process8 signatures9 93 Suspicious powershell command line found 20->93 95 Wscript starts Powershell (via cmd or directly) 20->95 97 Bypasses PowerShell execution policy 20->97 39 cmd.exe 2 20->39         started        42 conhost.exe 20->42         started        44 powershell.exe 23->44         started        46 conhost.exe 23->46         started        48 2 other processes 27->48 50 2 other processes 31->50 52 2 other processes 33->52 54 2 other processes 35->54 56 8 other processes 37->56 process10 signatures11 99 Suspicious powershell command line found 39->99 101 Wscript starts Powershell (via cmd or directly) 39->101 58 powershell.exe 15 19 39->58         started        63 conhost.exe 39->63         started        103 Tries to steal Mail credentials (via file / registry access) 44->103 105 Tries to harvest and steal browser information (history, passwords, etc) 44->105 process12 dnsIp13 77 50.31.176.103, 21, 30264, 30265 SERVERCENTRALUS United States 58->77 79 checkip.dyndns.com 193.122.130.0, 49692, 49708, 49718 ORACLE-BMC-31898US United States 58->79 81 reallyfreegeoip.org 104.21.16.1, 443, 49693, 49694 CLOUDFLARENETUS United States 58->81 67 C:\Users\user\...\StartupScript_1645039f.cmd, ASCII 58->67 dropped 115 Tries to steal Mail credentials (via file / registry access) 58->115 117 Found suspicious powershell code related to unpacking or dynamic code loading 58->117 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e/
Threat name:
Script-WScript.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 10:32:18 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ue2mdq2w7eb26obniv4ecsr3jvgqew3f5f2u2t32m65eptrlkvha._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e
SnakeKeylogger
a2584975149658da70c801f79fbfdcdd66eddf114b84332d401d2ad6a0ddbf78
SnakeKeylogger
d4fce5bc1eb1088361f707f46d9bcd22cb7ca46c6f8a2431b4beef859995e820
SnakeKeylogger
de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece
SnakeKeylogger
e447c6661b45bf1feacf2e5610b20487dadf0b09150b3371f86d09f01a29a2b0
SnakeKeylogger
error
SnakeKeylogger
+ 2'026 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250327-mkhevsspx6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Visual Basic Script (vbs) vbs a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments