MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d
SHA3-384 hash: 3513f7bfbe982dc3a6f52adae6d33a8c5e246d0b4aae16cecd6cf1fd1bf7db3e5f52bade39260277bec5fad41572810d
SHA1 hash: 7f57ce42a7f5729c550a37a47b64b3a46592f1bc
MD5 hash: e484f67789437e2be0eab8d25e72e22d
humanhash: snake-maryland-wolfram-four
File name:Mahmoud Mohamed Abu Eideh CV 2025.js
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:15'358 bytes
First seen:2025-06-16 12:31:34 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:0zLq6MBUkr/OMBTFK/MMnPWlxpUZO+mrrQfEscC:0z2dSkrZ1L0IeMTscC
Threatray 3'705 similar samples on MalwareBazaar
TLSH T1526250809441C6A3AC7383A1676DB465FBAA4043B679E090B0EE9B012F749E1507BECF
Magika javascript
Reporter abuse_ch
Tags:js SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68500f7607b5e8c1cfe6e803
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1715564
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Reflective Assembly Load
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1715564 Sample: Mahmoud Mohamed Abu Eideh C... Startdate: 16/06/2025 Architecture: WINDOWS Score: 100 25 paste.ee 2->25 27 ia800706.us.archive.org 2->27 29 archive.org 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected UAC Bypass using CMSTP 2->41 45 13 other signatures 2->45 9 wscript.exe 1 1 2->9         started        signatures3 43 Connects to a pastebin service (likely for C&C) 25->43 process4 dnsIp5 31 paste.ee 23.186.113.60, 443, 49687, 49688 KLAYER-GLOBALNL Reserved 9->31 47 System process connects to network (likely due to code injection or exploit) 9->47 49 JScript performs obfuscated calls to suspicious functions 9->49 51 Suspicious powershell command line found 9->51 53 4 other signatures 9->53 13 powershell.exe 15 16 9->13         started        signatures6 process7 dnsIp8 33 archive.org 207.241.224.2, 443, 49689 INTERNET-ARCHIVEUS United States 13->33 35 ia800706.us.archive.org 207.241.230.76, 443, 49690 INTERNET-ARCHIVEUS United States 13->35 55 Found Tor onion address 13->55 57 Creates autostart registry keys with suspicious values (likely registry only malware) 13->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 13->59 17 cmd.exe 1 13->17         started        19 WMIADAP.exe 4 13->19         started        21 conhost.exe 13->21         started        signatures9 process10 process11 23 conhost.exe 17->23         started       
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2025-06-15 01:37:41 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fllyizsahhs6pxrfl5sqghmi4x25yhe4xyusiig2acageqxyvoq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
258168f70a3f2f1a7ce46dd548c13a8b4d822a14644da7b0dbc77118684eee3f
SnakeKeylogger
2a6745ebfc8f6fe258dc62ab69457a53d97802336350ad54f723d232c2ca58c3
SnakeKeylogger
3a33f0319f48278d3f16b75a7f66ce52d72ad79a65a81fbed386abb8a2b47329
SnakeKeylogger
4600e1f35249611dce0f90e70df8f497e4e8d1201a5b92b514144dfddc521a5e
SnakeKeylogger
63ba678815aecb8a822130ec04b4cf2869cc15baf8fe30c72814b84b6082aac7
SnakeKeylogger
6e3b7e91cfd74e8c92b717a46ea27d3c0fdccc75be62bb5c2d8bc58c8acdd9bf
SnakeKeylogger
9013007cca0b9c0b3c4d3b1e8a68a98cba219b8a54908a63e18f1531167d392d
SnakeKeylogger
c82167abd7f99c79f6559f6e5f92db8afdb08d6ebabbd588b0f3c63beaead681
SnakeKeylogger
dc433c8011e80188527c9debf83c0e5462eb46e716a765621f03755218683352
SnakeKeylogger
ee6a640fc9f9d3e23cded0d543313c66467949737aab806f33cd86f9df744780
SnakeKeylogger
error
SnakeKeylogger
+ 3'695 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/250616-pqe8ssck2s/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8149016468:AAEcCW-rLCadgON_tQETiF8p7rZZkdjDqFA/sendMessage?chat_id=6246770128
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/d156bc233201cf2f3ef12afb2818ec472faee0e4e5f1492106d004031217c55d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments