Analysis Report FOB offer_1164087223_I0133P2100363812.PDF.exe

Overview

General Information

Sample Name:	FOB offer_1164087223_I0133P2100363812.PDF.exe
Analysis ID:	356476
MD5:	b10eafcd59bf5d8b5fcaea7175343da7
SHA1:	ba5b3ade8e66f73650eb50ec3ca78695e215e4e9
SHA256:	e2a36e86351414834625d38ab44ba38de9195a28ab9b4445696c98f80fef9e09
Tags:	exeSnakeKeylogger
Most interesting Screenshot:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Suspicious Double Extension

Yara detected Snake Keylogger

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

May check the online IP address of the machine

Moves itself to temp directory

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Beds Obfuscator

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1269002131", "Telegram Token": "1647674293:AAGNVWUWKyHBC371hZtzAT17lVk_md2UWO8"}}

Machine Learning detection for sample

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.88.193.70 162.88.193.70

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	String found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp, FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: FOB offer_1164087223_I0133P2100363812.PDF.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338337	0_2_03338337
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336570	0_2_03336570
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336560	0_2_03336560
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AB8	0_2_03339AB8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AA8	0_2_03339AA8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3C2F0	1_2_02C3C2F0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30660	1_2_02C30660
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3AC00	1_2_02C3AC00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3B2B0	1_2_02C3B2B0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C37B98	1_2_02C37B98
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30B78	1_2_02C30B78
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C31098	1_2_02C31098
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C359E0	1_2_02C359E0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575718	1_2_06575718
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065727C8	1_2_065727C8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065717F8	1_2_065717F8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574798	1_2_06574798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573798	1_2_06573798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570040	1_2_06570040
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571010	1_2_06571010
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575F00	1_2_06575F00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571FE0	1_2_06571FE0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F80	1_2_06574F80
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572FB0	1_2_06572FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573FB0	1_2_06573FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570828	1_2_06570828
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572769	1_2_06572769
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575768	1_2_06575768
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575708	1_2_06575708
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573739	1_2_06573739
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574738	1_2_06574738
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065707C9	1_2_065707C9
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571799	1_2_06571799
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570006	1_2_06570006
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575EF1	1_2_06575EF1
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572F50	1_2_06572F50
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573F31	1_2_06573F31
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F20	1_2_06574F20
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571F81	1_2_06571F81
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570FB0	1_2_06570FB0

Sample file is different than original file name gathered from version info

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCaptIt.dll. vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.234481107.0000000001046000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE.dll" vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.495822609.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498273305.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498081302.0000000000BC6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000000.233410329.0000000000A36000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe

Uses 32bit PE files

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.1.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOB offer_1164087223_I0133P2100363812.PDF.exe.log

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe 'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe'
Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static file information: File size 3356672 > 1048576

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x332e00

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14041 push eax; ret	0_2_00D1404E
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14E64 push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D17466 push eax; ret	0_2_00D17470
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D135D8 push dword ptr [esi+0Bh]; ret	0_2_00D135EE
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D141C2 push esp; retf	0_2_00D141C5
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165F3 push ebx; ret	0_2_00D16626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D16BFE push esi; retf	0_2_00D16C01
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14391 push 33FAF72Eh; retf	0_2_00D14396
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165BE push ebx; ret	0_2_00D16626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14DA0 push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D13977 push ecx; ret	0_2_00D139A2
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14D3A push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338A10 push dword ptr [ebp+5D906A8Dh]; ret	0_2_03338A33
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704E64 push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00707466 push eax; ret	1_2_00707470
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704041 push eax; ret	1_2_0070404E
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00703977 push ecx; ret	1_2_007039A2
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704D3A push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065F3 push ebx; ret	1_2_00706626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00706BFE push esi; retf	1_2_00706C01
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007035D8 push dword ptr [esi+0Bh]; ret	1_2_007035EE
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007041C2 push esp; retf	1_2_007041C5
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065BE push ebx; ret	1_2_00706626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704DA0 push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704391 push 33FAF72Eh; retf	1_2_00704396
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353C7 push eax; ret	1_2_02C353CA
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353D7 push ecx; ret	1_2_02C353DA
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C356AF push edx; ret	1_2_02C356B6
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35663 push edx; ret	1_2_02C3566A
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3567F push edx; ret	1_2_02C35686
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35617 push edx; ret	1_2_02C3561E

Hooking and other Techniques for Hiding and Protection:

Moves itself to temp directory

Source: c:\users\user\desktop\fob offer_1164087223_i0133p2100363812.pdf.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG544.tmp

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe TID: 6468

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498683632.000000000112E000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.88.193.70	unknown	United States		33517	DYNDNSUS	false
104.21.19.200	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
freegeoip.app	104.21.19.200	true
checkip.dyndns.com	162.88.193.70	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1269002131", "Telegram Token": "1647674293:AAGNVWUWKyHBC371hZtzAT17lVk_md2UWO8"}}

Machine Learning detection for sample

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.88.193.70 162.88.193.70

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	String found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp, FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: FOB offer_1164087223_I0133P2100363812.PDF.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338337	0_2_03338337
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336570	0_2_03336570
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336560	0_2_03336560
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AB8	0_2_03339AB8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AA8	0_2_03339AA8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3C2F0	1_2_02C3C2F0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30660	1_2_02C30660
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3AC00	1_2_02C3AC00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3B2B0	1_2_02C3B2B0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C37B98	1_2_02C37B98
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30B78	1_2_02C30B78
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C31098	1_2_02C31098
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C359E0	1_2_02C359E0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575718	1_2_06575718
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065727C8	1_2_065727C8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065717F8	1_2_065717F8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574798	1_2_06574798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573798	1_2_06573798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570040	1_2_06570040
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571010	1_2_06571010
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575F00	1_2_06575F00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571FE0	1_2_06571FE0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F80	1_2_06574F80
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572FB0	1_2_06572FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573FB0	1_2_06573FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570828	1_2_06570828
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572769	1_2_06572769
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575768	1_2_06575768
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575708	1_2_06575708
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573739	1_2_06573739
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574738	1_2_06574738
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065707C9	1_2_065707C9
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571799	1_2_06571799
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570006	1_2_06570006
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575EF1	1_2_06575EF1
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572F50	1_2_06572F50
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573F31	1_2_06573F31
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F20	1_2_06574F20
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571F81	1_2_06571F81
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570FB0	1_2_06570FB0

Sample file is different than original file name gathered from version info

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCaptIt.dll. vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.234481107.0000000001046000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE.dll" vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.495822609.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498273305.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498081302.0000000000BC6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000000.233410329.0000000000A36000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe

Uses 32bit PE files

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.1.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOB offer_1164087223_I0133P2100363812.PDF.exe.log

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe 'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe'
Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static file information: File size 3356672 > 1048576

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x332e00

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14041 push eax; ret	0_2_00D1404E
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14E64 push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D17466 push eax; ret	0_2_00D17470
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D135D8 push dword ptr [esi+0Bh]; ret	0_2_00D135EE
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D141C2 push esp; retf	0_2_00D141C5
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165F3 push ebx; ret	0_2_00D16626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D16BFE push esi; retf	0_2_00D16C01
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14391 push 33FAF72Eh; retf	0_2_00D14396
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165BE push ebx; ret	0_2_00D16626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14DA0 push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D13977 push ecx; ret	0_2_00D139A2
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14D3A push eax; iretd	0_2_00D14E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338A10 push dword ptr [ebp+5D906A8Dh]; ret	0_2_03338A33
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704E64 push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00707466 push eax; ret	1_2_00707470
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704041 push eax; ret	1_2_0070404E
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00703977 push ecx; ret	1_2_007039A2
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704D3A push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065F3 push ebx; ret	1_2_00706626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00706BFE push esi; retf	1_2_00706C01
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007035D8 push dword ptr [esi+0Bh]; ret	1_2_007035EE
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007041C2 push esp; retf	1_2_007041C5
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065BE push ebx; ret	1_2_00706626
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704DA0 push eax; iretd	1_2_00704E62
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704391 push 33FAF72Eh; retf	1_2_00704396
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353C7 push eax; ret	1_2_02C353CA
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353D7 push ecx; ret	1_2_02C353DA
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C356AF push edx; ret	1_2_02C356B6
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35663 push edx; ret	1_2_02C3566A
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3567F push edx; ret	1_2_02C35686
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35617 push edx; ret	1_2_02C3561E

Hooking and other Techniques for Hiding and Protection:

Moves itself to temp directory

Source: c:\users\user\desktop\fob offer_1164087223_i0133p2100363812.pdf.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG544.tmp

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe TID: 6468

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498683632.000000000112E000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

ID:	356476
Product:	CloudBasic
Start time:	08:35:51
Start date:	23.02.2021
Sample:	FOB offer_1164087223_I0133P2100363812.PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b10eafcd59bf5d8b5fcaea7175343da7
SHA1:	ba5b3ade8e66f73650eb50ec3ca78695e215e4e9
SHA256:	e2a36e86351414834625d38ab44ba38de9195a28ab9b4445696c98f80fef9e09
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report FOB offer_1164087223_I0133P2100363812.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs