Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MT Marine Tiger.exe

Overview

General Information

Sample name:MT Marine Tiger.exe
Analysis ID:1455418
MD5:730e2e475c3e7bb87ca8e53f7f31cfdf
SHA1:dc2b601e25719862f02be67becc9e499ad97d5ab
SHA256:faebc09f47203bbe599ac368f12622f38255e957d1435e6763c80bf2ebd988bf
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • MT Marine Tiger.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\MT Marine Tiger.exe" MD5: 730E2E475C3E7BB87CA8E53F7F31CFDF)
    • MT Marine Tiger.exe (PID: 2584 cmdline: "C:\Users\user\Desktop\MT Marine Tiger.exe" MD5: 730E2E475C3E7BB87CA8E53F7F31CFDF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}
SourceRuleDescriptionAuthorStrings
00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14781:$a1: get_encryptedPassword
      • 0x14a77:$a2: get_encryptedUsername
      • 0x1458d:$a3: get_timePasswordChanged
      • 0x14688:$a4: get_passwordField
      • 0x14797:$a5: set_encryptedPassword
      • 0x15da1:$a7: get_logins
      • 0x15d04:$a10: KeyLoggerEventArgs
      • 0x1599d:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.3710301121.0000000000812000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x18128:$x1: $%SMTPDV$
      • 0x1818e:$x2: $#TheHashHere%&
      • 0x197b7:$x3: %FTPDV$
      • 0x198ab:$x4: $%TelegramDv$
      • 0x1599d:$x5: KeyLoggerEventArgs
      • 0x15d04:$x5: KeyLoggerEventArgs
      • 0x197db:$m2: Clipboard Logs ID
      • 0x199a7:$m2: Screenshot Logs ID
      • 0x19a73:$m2: keystroke Logs ID
      • 0x1997f:$m4: \SnakeKeylogger\
      00000000.00000002.1255274619.0000000005480000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x4aa6b:$x1: In$J$ct0r
      Click to see the 15 entries
      SourceRuleDescriptionAuthorStrings
      0.2.MT Marine Tiger.exe.5480000.5.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x4aa6b:$x1: In$J$ct0r
      0.2.MT Marine Tiger.exe.5480000.5.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x48c6b:$x1: In$J$ct0r
      0.2.MT Marine Tiger.exe.3cc7b70.2.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x48c6b:$x1: In$J$ct0r
      2.2.MT Marine Tiger.exe.810000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        2.2.MT Marine Tiger.exe.810000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security