Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MT Marine Tiger.exe


General Information

Sample name:MT Marine Tiger.exe
Analysis ID:1455418


Snake Keylogger
Range:0 - 100


Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match


  • System is w10x64
  • MT Marine Tiger.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\MT Marine Tiger.exe" MD5: 730E2E475C3E7BB87CA8E53F7F31CFDF)
    • MT Marine Tiger.exe (PID: 2584 cmdline: "C:\Users\user\Desktop\MT Marine Tiger.exe" MD5: 730E2E475C3E7BB87CA8E53F7F31CFDF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}
00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      • 0x14781:$a1: get_encryptedPassword
      • 0x14a77:$a2: get_encryptedUsername
      • 0x1458d:$a3: get_timePasswordChanged
      • 0x14688:$a4: get_passwordField
      • 0x14797:$a5: set_encryptedPassword
      • 0x15da1:$a7: get_logins
      • 0x15d04:$a10: KeyLoggerEventArgs
      • 0x1599d:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x18128:$x1: $%SMTPDV$
      • 0x1818e:$x2: $#TheHashHere%&
      • 0x197b7:$x3: %FTPDV$
      • 0x198ab:$x4: $%TelegramDv$
      • 0x1599d:$x5: KeyLoggerEventArgs
      • 0x15d04:$x5: KeyLoggerEventArgs
      • 0x197db:$m2: Clipboard Logs ID
      • 0x199a7:$m2: Screenshot Logs ID
      • 0x19a73:$m2: keystroke Logs ID
      • 0x1997f:$m4: \SnakeKeylogger\
      00000000.00000002.1255274619.0000000005480000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x4aa6b:$x1: In$J$ct0r
      Click to see the 15 entries
      0.2.MT Marine Tiger.exe.5480000.5.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x4aa6b:$x1: In$J$ct0r
      0.2.MT Marine Tiger.exe.5480000.5.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x48c6b:$x1: In$J$ct0r
      0.2.MT Marine Tiger.exe.3cc7b70.2.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x48c6b:$x1: In$J$ct0r
      2.2.MT Marine Tiger.exe.810000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        2.2.MT Marine Tiger.exe.810000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security