Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5qJ6QQTcRS.exe

Overview

General Information

Sample name:5qJ6QQTcRS.exe
renamed because original name is a hash value
Original sample name:e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c.exe
Analysis ID:1588845
MD5:78668d52e5b092184a4b8e6788713b3c
SHA1:302e6b4b4f6441acbbfe4e55c6f6d8a83d94f7eb
SHA256:e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c
Tags:exeuser-adrian__luca
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • 5qJ6QQTcRS.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\5qJ6QQTcRS.exe" MD5: 78668D52E5B092184A4B8E6788713B3C)
    • InstallUtil.exe (PID: 8132 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2daa0:$a1: get_encryptedPassword
          • 0x2e028:$a2: get_encryptedUsername
          • 0x2d713:$a3: get_timePasswordChanged
          • 0x2d82a:$a4: get_passwordField
          • 0x2dab6:$a5: set_encryptedPassword
          • 0x307d2:$a6: get_passwords
          • 0x30b66:$a7: get_logins
          • 0x307be:$a8: GetOutlookPasswords
          • 0x30177:$a9: StartKeylogger
          • 0x30abf:$a10: KeyLoggerEventArgs
          • 0x30217:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          0.2.5qJ6QQTcRS.exe.3b01960.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            0.2.5qJ6QQTcRS.exe.3ab6d70.2.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.5qJ6QQTcRS.exe.5b60000.3.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                0.2.5qJ6QQTcRS.exe.5b60000.3.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  0.2.5qJ6QQTcRS.exe.3b01960.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    Click to see the 21 entries
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:14:35.817329+010028033053Unknown Traffic192.168.2.1049982104.21.112.1443TCP
                    2025-01-11T06:14:38.214770+010028033053Unknown Traffic192.168.2.1049986104.21.112.1443TCP
                    2025-01-11T06:14:40.599478+010028033053Unknown Traffic192.168.2.1049990104.21.112.1443TCP
                    2025-01-11T06:14:41.832235+010028033053Unknown Traffic192.168.2.1049992104.21.112.1443TCP
                    2025-01-11T06:14:44.289038+010028033053Unknown Traffic192.168.2.1049996104.21.112.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:14:34.400712+010028032742Potentially Bad Traffic192.168.2.1049980158.101.44.24280TCP
                    2025-01-11T06:14:35.291474+010028032742Potentially Bad Traffic192.168.2.1049980158.101.44.24280TCP
                    2025-01-11T06:14:36.463329+010028032742Potentially Bad Traffic192.168.2.1049983158.101.44.24280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:14:45.212528+010018100071Potentially Bad Traffic192.168.2.1049997149.154.167.220443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection