MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 18

Intelligence 18 IOCs YARA 8 File information Comments

SHA256 hash:	d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19
SHA3-384 hash:	28c5cb74d73824beecd2137f96b32e57e2f19dfebbc57cdc353033729d87d4136da5d72048f4fbc1898b37f8d8e47852
SHA1 hash:	0314841c8bd331dfe59d636ca5fcda2b01d5d49c
MD5 hash:	1eb436524511236fc33ea53162812248
humanhash:	michigan-west-jersey-stairway
File name:	SOA BALANCE.xlx.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	711'176 bytes
First seen:	2025-06-02 07:20:31 UTC
Last seen:	2025-06-16 14:40:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:9MVcpQk1WpI4losjEHkf4+BwY0L+SpOPhGFh7LuH1CELc2kR:9Hw5jkG4pj+WOZGFhXuvm
Threatray	2'552 similar samples on MalwareBazaar
TLSH	T11EE4F1AA1766D603DAB20BF95812C3B207F6ADDCE611E3130FE29DDB3955B442B41387
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	d4d4d4dc9aaa8686 (5 x AgentTesla, 1 x MassLogger, 1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

415

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SOA BALANCE.xlx.exe

Verdict:

Malicious activity

Analysis date:

2025-06-02 07:58:12 UTC

Tags:

netreactor evasion snake keylogger stealer

Link:

https://app.any.run/tasks/ab1fb42f-d0db-45c4-9ac9-d44d8b015ae6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/6823/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.2559.16017.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683d523cacf88f5815eb1a80

Tags:

micro spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed vbnet

Link:

https://www.filescan.io/uploads/683d510ffd02ed5e05931b67/reports/64ec4a87-3c0d-469e-8f32-805f63937029/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d27012c-9948-4d18-a487-9e2ecce489ea

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1703765

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses threadpools to delay analysis

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2025-06-02 03:22:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2l6nbkqbgne2nnrvmezphhtzg25gxkou3tgbtthoeqywlel3xymq._file

Verdict:

malicious

Label(s):

unc_loader_037

404keylogger

SnakeKeylogger

32c83ad0392161e5cb654bc817fd6798bf95f3afe176d28f38d326d375599968

SnakeKeylogger

4fb764df7b5111711466cfc2b0023a2bd57cc4459fe3075710f62cf76dd03edf

SnakeKeylogger

56b173e4847bbc6d04930b16600868b15d449563e1138ad6a266d01926e60303

SnakeKeylogger

8337a1c0c50f95b4e6f8ced766b5b8817c2bbd4f9ee1e71c275c6a025cefab7b

SnakeKeylogger

d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19

SnakeKeylogger

error

SnakeKeylogger

+ 2'542 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/250602-h6d74sxlx9/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5748448c-8aa6-4d00-8226-d3048092e52b

Unpacked files

SH256 hash:

d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19

MD5 hash:

1eb436524511236fc33ea53162812248

SHA1 hash:

0314841c8bd331dfe59d636ca5fcda2b01d5d49c

Link:

https://www.unpac.me/results/4de05e09-fe44-4381-b02a-4f582488cf9f/

SH256 hash:

e88c636f2774aa58f25da772c2d694f481edf65795402372e721bdaadea6402d

MD5 hash:

cb98f515814ea99a08780d67b5e3e8f0

SHA1 hash:

000baf76303b9e04a059c4d674e2991a6ecbab3f

Link:

https://www.unpac.me/results/4de05e09-fe44-4381-b02a-4f582488cf9f/

SH256 hash:

c4fab3cfc00c4b96396a6c0f5b737c17922635808fcea9e92ac75de8fe850224

MD5 hash:

5d710ee291424a7f8b2619c92463337e

SHA1 hash:

2fd22a7a83d1afe432fa99dc033af7b3e2e2bbbe

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/4de05e09-fe44-4381-b02a-4f582488cf9f/

SH256 hash:

5d98d1e2a97295f6866e29270b991a368e627c6aba47df41133d5bc316dc01c5

MD5 hash:

ef3c526232da6d8bb1ab64da37b0d370

SHA1 hash:

6439358cd27e0beab04693e875246f2241341e72

Detections:

win_404keylogger_g1

snake_keylogger

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/4de05e09-fe44-4381-b02a-4f582488cf9f/

Parent samples :

d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19
f61db63d8055c98f1c4c11de558dd0f2f7f6fbd755dd5de8b60cdec9fe53ab70
b7da8e1da29ef0f633a90ed8da677147faa0785dd2c68638d0c2c441f31d0fcd

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d2fcd0aa0133/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2fcd0aa013349a6b6356132f39e7936ba6ba9d4dccc19ccee243165917bbe19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6823/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample