MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
SHA3-384 hash: ca8bc8567c4f2a7b753dd8abd5ad9cd91010104493c9058a29c641ee31fafa4c5dd993be3f3606a6ab621dfee8dbe103
SHA1 hash: 1278517a8e4bb26fa20684075ba32661d708b378
MD5 hash: 237852fa369bfecc7ccb646fd3460b42
humanhash: shade-sink-stream-robin
File name:SOA Balance Payment.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:744'968 bytes
First seen:2025-06-17 09:20:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:TtDB6yxN7R3WrMRY1mGkBs6irI2x+PJy9b/2xPofJBMC4DnfvkR:ThXkRAGkStIMQUb/2lofjD4Li
Threatray 3'875 similar samples on MalwareBazaar
TLSH T1BCF49C7822F1A702C875467227E1D1386AE05FACDDD2D306E6F81DC7B246ED83A8954F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 74e4dcccc8ccdcd4 (4 x Formbook, 2 x AsyncRAT, 2 x Loki)
Reporter cocaman
Tags:exe payment SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA Balance Payment.zip.001
Verdict:
Suspicious activity
Analysis date:
2025-06-03 10:45:53 UTC
Tags:
arch-exec netreactor
Link:
https://app.any.run/tasks/0e6d9d1c-5e2e-40e8-8f63-46e69d817927

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9838/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68513383f08ffc92600dc810
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature masquerade mikey obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/68513417fd02ed5e05af482b/reports/b2cf9888-9609-4f5c-ab7a-c4c448110bfb/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f8d2518-b5d9-4b5e-9176-b10b35f160e0
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1716281
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1716281 Sample: SOA Balance Payment.exe Startdate: 17/06/2025 Architecture: WINDOWS Score: 100 53 reallyfreegeoip.org 2->53 55 checkip.dyndns.org 2->55 57 checkip.dyndns.com 2->57 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 71 10 other signatures 2->71 9 SOA Balance Payment.exe 7 2->9         started        13 CYScSqblw.exe 4 2->13         started        signatures3 69 Tries to detect the country of the analysis system (by using the IP) 53->69 process4 file5 47 C:\Users\user\AppData\Roaming\CYScSqblw.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\tmpA6B3.tmp, XML 9->49 dropped 51 C:\Users\user\...\SOA Balance Payment.exe.log, ASCII 9->51 dropped 73 Writes to foreign memory regions 9->73 75 Allocates memory in foreign processes 9->75 77 Adds a directory exclusion to Windows Defender 9->77 79 Injects a PE file into a foreign processes 9->79 15 powershell.exe 23 9->15         started        18 powershell.exe 23 9->18         started        20 RegSvcs.exe 15 4 9->20         started        23 schtasks.exe 1 9->23         started        81 Multi AV Scanner detection for dropped file 13->81 25 schtasks.exe 13->25         started        27 WerFault.exe 13->27         started        signatures6 process7 dnsIp8 83 Loading BitLocker PowerShell Module 15->83 29 conhost.exe 15->29         started        31 WmiPrvSE.exe 15->31         started        33 conhost.exe 18->33         started        59 checkip.dyndns.com 132.226.247.73, 49690, 49693, 49697 UTMEMUS United States 20->59 61 reallyfreegeoip.org 104.21.16.1, 443, 49691, 49696 CLOUDFLARENETUS United States 20->61 35 cmd.exe 20->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        signatures9 process10 process11 43 conhost.exe 35->43         started        45 choice.exe 35->45         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2025-05-29 07:01:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7ni4hnct3ypmm5jb3mnuz3ri75ka6c52ldimogqylced4y5b7gq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
4e504e5cd7c31299740b00ea1d3a9864d990efc00210d0f0c0b5ad28c4306d81
SnakeKeylogger
7b2118ed1133b43f2521509f4eac9e89b89cdfc389208099cc6e601aaf95c836
SnakeKeylogger
9515b697030a6361fee15cb76079d448d0a754ce2552ab74fc690a73f5b602f9
SnakeKeylogger
989b2568cd870052182bd637a9a5a1bf68461e2fa59763678f88f634bfd1d51c
SnakeKeylogger
b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
SnakeKeylogger
error
SnakeKeylogger
+ 3'865 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery execution keylogger stealer
Link:
https://tria.ge/reports/250617-lcb3favps4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Verdict:
Malicious
Tags:
Win.Trojan.Mikey-9839945-0
YARA:
n/a
Link:
https://app.threat.zone/submission/7109c5e1-5e6f-4081-88f4-c87b4915d668
Unpacked files
SH256 hash:
b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
MD5 hash:
237852fa369bfecc7ccb646fd3460b42
SHA1 hash:
1278517a8e4bb26fa20684075ba32661d708b378
Link:
https://www.unpac.me/results/d4285673-f937-4348-8b23-2496d4d652de/
SH256 hash:
ff55838cf83322ceab30a512da916f2821181007e95c8fa68674825df8c819b4
MD5 hash:
c9d09ec2449e60042cfc5222e0905ac9
SHA1 hash:
00f21d00230d6595f91ea5c990910f86bbfa44b1
Link:
https://www.unpac.me/results/d4285673-f937-4348-8b23-2496d4d652de/
SH256 hash:
ddb94967d03b05957e3b2aee29b9e6f89664d8dc8ee2559e4a037c48b059d653
MD5 hash:
2e6399aa9574cce555b24fc47023a0ac
SHA1 hash:
1df85b908cd7267ce63438e6de427d8b483e2c6c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d4285673-f937-4348-8b23-2496d4d652de/
SH256 hash:
5d98d1e2a97295f6866e29270b991a368e627c6aba47df41133d5bc316dc01c5
MD5 hash:
ef3c526232da6d8bb1ab64da37b0d370
SHA1 hash:
6439358cd27e0beab04693e875246f2241341e72
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
MALWARE_Win_SnakeKeylogger
Create hunting rule
Link:
https://www.unpac.me/results/d4285673-f937-4348-8b23-2496d4d652de/
Parent samples :
d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19
f61db63d8055c98f1c4c11de558dd0f2f7f6fbd755dd5de8b60cdec9fe53ab70
b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 2e564e932a35064c4e6bb9b75bbb007a402bc854abee0aaba1c1c2fac23cca92

SnakeKeylogger

Executable exe b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2e564e932a35064c4e6bb9b75bbb007a402bc854abee0aaba1c1c2fac23cca92
  
Dropped by
MD5 28b8e3509ee3b4e6e4c91c70bbff9b68
Cape
Cape
https://www.capesandbox.com/analysis/9838/

Comments