Edit tour
Windows
Analysis Report
5qJ6QQTcRS.exe
Overview
General Information
Sample name: | 5qJ6QQTcRS.exerenamed because original name is a hash value |
Original sample name: | e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c.exe |
Analysis ID: | 1588845 |
MD5: | 78668d52e5b092184a4b8e6788713b3c |
SHA1: | 302e6b4b4f6441acbbfe4e55c6f6d8a83d94f7eb |
SHA256: | e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c |
Tags: | exeuser-adrian__luca |
Infos: | |
Detection
DarkTortilla, Snake Keylogger, VIP Keylogger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- 5qJ6QQTcRS.exe (PID: 8140 cmdline:
"C:\Users\ user\Deskt op\5qJ6QQT cRS.exe" MD5: 78668D52E5B092184A4B8E6788713B3C) - InstallUtil.exe (PID: 8132 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkTortilla | DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
Click to see the 22 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
Click to see the 21 entries |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-11T06:14:35.817329+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49982 | 104.21.112.1 | 443 | TCP |
2025-01-11T06:14:38.214770+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49986 | 104.21.112.1 | 443 | TCP |
2025-01-11T06:14:40.599478+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49990 | 104.21.112.1 | 443 | TCP |
2025-01-11T06:14:41.832235+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49992 | 104.21.112.1 | 443 | TCP |
2025-01-11T06:14:44.289038+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.10 | 49996 | 104.21.112.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-11T06:14:34.400712+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49980 | 158.101.44.242 | 80 | TCP |
2025-01-11T06:14:35.291474+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49980 | 158.101.44.242 | 80 | TCP |
2025-01-11T06:14:36.463329+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49983 | 158.101.44.242 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-11T06:14:45.212528+0100 | 1810007 | 1 | Potentially Bad Traffic | 192.168.2.10 | 49997 | 149.154.167.220 | 443 | TCP |