Play interactive tour

Edit tour

Analysis Report FOB offer_1164087223_I0133P2100363812.PDF.exe

Overview

General Information

Sample Name:	FOB offer_1164087223_I0133P2100363812.PDF.exe
Analysis ID:	356476
MD5:	b10eafcd59bf5d8b5fcaea7175343da7
SHA1:	ba5b3ade8e66f73650eb50ec3ca78695e215e4e9
SHA256:	e2a36e86351414834625d38ab44ba38de9195a28ab9b4445696c98f80fef9e09
Tags:	exeSnakeKeylogger
Most interesting Screenshot:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Suspicious Double Extension

Yara detected Snake Keylogger

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

May check the online IP address of the machine

Moves itself to temp directory

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Beds Obfuscator

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Startup

System is w10x64

FOB offer_1164087223_I0133P2100363812.PDF.exe (PID: 6436 cmdline: 'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe' MD5: B10EAFCD59BF5D8B5FCAEA7175343DA7)

FOB offer_1164087223_I0133P2100363812.PDF.exe (PID: 6484 cmdline: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe MD5: B10EAFCD59BF5D8B5FCAEA7175343DA7)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1269002131", "Telegram Token": "1647674293:AAGNVWUWKyHBC371hZtzAT17lVk_md2UWO8"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, CommandLine: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, NewProcessName: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, OriginalFileName: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe' , ParentImage: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, ParentProcessId: 6436, ProcessCommandLine: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe, ProcessId: 6484

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1269002131", "Telegram Token": "1647674293:AAGNVWUWKyHBC371hZtzAT17lVk_md2UWO8"}}

Machine Learning detection for sample

Show sources

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Joe Sandbox ML: detected

Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View

IP Address: 162.88.193.70 162.88.193.70

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	String found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp, FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498729765.0000000001143000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338337
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336570
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03336560
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AB8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03339AA8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3C2F0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30660
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3AC00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3B2B0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C37B98
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C30B78
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C31098
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C359E0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575718
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065727C8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065717F8
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573798
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570040
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571010
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575F00
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571FE0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F80
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573FB0
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570828
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572769
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575768
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575708
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573739
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574738
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_065707C9
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571799
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570006
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06575EF1
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06572F50
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06573F31
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06574F20
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06571F81
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_06570FB0

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCaptIt.dll. vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.234481107.0000000001046000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE.dll" vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.495822609.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename8J3XI1GM.exe4 vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498273305.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498081302.0000000000BC6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000000.233410329.0000000000A36000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe	Binary or memory string: OriginalFilenameScreenCapturer.exe> vs FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.d10000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.0.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.700000.1.unpack, CaptureRectangle.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOB offer_1164087223_I0133P2100363812.PDF.exe.log

Jump to behavior

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe 'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe'
Source: unknown	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static file information: File size 3356672 > 1048576

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x332e00

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: RunPE.pdb source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235188024.00000000034A1000.00000004.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14041 push eax; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14E64 push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D17466 push eax; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D135D8 push dword ptr [esi+0Bh]; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D141C2 push esp; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165F3 push ebx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D16BFE push esi; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14391 push 33FAF72Eh; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D165BE push ebx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14DA0 push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D13977 push ecx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_00D14D3A push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 0_2_03338A10 push dword ptr [ebp+5D906A8Dh]; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704E64 push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00707466 push eax; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704041 push eax; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00703977 push ecx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704D3A push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065F3 push ebx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00706BFE push esi; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007035D8 push dword ptr [esi+0Bh]; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007041C2 push esp; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_007065BE push ebx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704DA0 push eax; iretd
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_00704391 push 33FAF72Eh; retf
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353C7 push eax; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C353D7 push ecx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C356AF push edx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35663 push edx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C3567F push edx; ret
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Code function: 1_2_02C35617 push edx; ret

Hooking and other Techniques for Hiding and Protection:

Moves itself to temp directory

Show sources

Source: c:\users\user\desktop\fob offer_1164087223_i0133p2100363812.pdf.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG544.tmp

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.63b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.4b09170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.47d9340.4.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe TID: 6468

Thread sleep time: -922337203685477s >= -30000s

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.498683632.000000000112E000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Process created: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499555026.0000000001740000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436, type: MEMORY
Source: Yara match	File source: Process Memory Space: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484, type: MEMORY
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.5138fb8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading21	OS Credential Dumping2	Security Software Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information11	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FOB offer_1164087223_I0133P2100363812.PDF.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.FOB offer_1164087223_I0133P2100363812.PDF.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File

Domains

Source	Detection	Scanner	Link
freegeoip.app	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.38	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.38	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.38	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	104.21.19.200	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.com	162.88.193.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/HB	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/84.17.52.38	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.500063688.0000000002DAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	FOB offer_1164087223_I0133P2100363812.PDF.exe, 00000001.00000002.499934986.0000000002D61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.88.193.70	unknown	United States		33517	DYNDNSUS	false
104.21.19.200	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356476
Start date:	23.02.2021
Start time:	08:35:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	FOB offer_1164087223_I0133P2100363812.PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3% (good quality ratio 1.7%) Quality average: 29.9% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.43.139.144, 92.122.145.220, 52.147.198.201, 13.88.21.125, 52.255.188.83, 184.30.20.56, 51.104.144.132, 51.103.5.186, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.88.193.70	purchase order 1.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	telex transfer.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	GPP.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	#11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	swift payment.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	Order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	telex transfer.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ORDEN DE COMPRA.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	banka bilgisi.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	purchase order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	XXXXXXXXXXXXXX.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	170221.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Generic.mg.7ce1863c6187f2ad.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SONIVET SARL NOUVEL ORDER.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Payment_copy.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.app	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	172.67.188.154
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order.exe	Get hash	malicious	Browse	172.67.188.154
	9073782912,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order 1.exe	Get hash	malicious	Browse	172.67.188.154
	telex transfer.exe	Get hash	malicious	Browse	172.67.188.154
	GPP.exe	Get hash	malicious	Browse	172.67.188.154
	DHL Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	#11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210222_082357_541079.exe	Get hash	malicious	Browse	104.21.19.200
	swift payment.doc	Get hash	malicious	Browse	104.21.19.200
	Order_C3350191107102300.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.Trojan.Inject4.6572.13919.exe	Get hash	malicious	Browse	104.21.19.200
	Order.exe	Get hash	malicious	Browse	104.21.19.200
	ORDER PURCHASE ITEMS.exe	Get hash	malicious	Browse	104.21.19.200
	Payment information 366531890544-2222021,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200
checkip.dyndns.com	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	131.186.113.70
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	purchase order.exe	Get hash	malicious	Browse	131.186.113.70
	9073782912,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	131.186.113.70
	purchase order 1.exe	Get hash	malicious	Browse	162.88.193.70
	telex transfer.exe	Get hash	malicious	Browse	162.88.193.70
	iAxkn PDF.exe	Get hash	malicious	Browse	216.146.43.71
	GPP.exe	Get hash	malicious	Browse	162.88.193.70
	DHL Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	#11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	Halkbank_Ekstre_20210222_082357_541079.exe	Get hash	malicious	Browse	131.186.113.70
	swift payment.doc	Get hash	malicious	Browse	162.88.193.70
	Order_C3350191107102300.exe	Get hash	malicious	Browse	131.186.113.70
	SecuriteInfo.com.Trojan.Inject4.6572.13919.exe	Get hash	malicious	Browse	131.186.161.70
	Order.exe	Get hash	malicious	Browse	162.88.193.70
	ORDER PURCHASE ITEMS.exe	Get hash	malicious	Browse	216.146.43.70
	Payment information 366531890544-2222021,pdf.exe	Get hash	malicious	Browse	131.186.113.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	172.67.188.154
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	172.67.160.246
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	PAYMENTADVICENOTE103_SWIFTCOPY0909208.exe	Get hash	malicious	Browse	172.67.172.17
	ORDER LIST.xlsx	Get hash	malicious	Browse	23.227.38.74
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order.exe	Get hash	malicious	Browse	172.67.188.154
	9073782912,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	104.21.19.200
	INV_PR2201.docm	Get hash	malicious	Browse	162.159.134.233
	XP 6.xlsx	Get hash	malicious	Browse	172.67.172.17
	b0PmDaDeNh.dll	Get hash	malicious	Browse	104.20.184.68
	PO_210222.exe	Get hash	malicious	Browse	23.227.38.74
	Sw5kF7zkty.exe	Get hash	malicious	Browse	162.159.134.233
	PAYRECEIPT.exe	Get hash	malicious	Browse	172.67.172.17
	unmapped_executable_of_polyglot_duke.dll	Get hash	malicious	Browse	172.67.204.156
	6v3gJQytBL.exe	Get hash	malicious	Browse	104.18.87.101
	YqgA9W2m1D.exe	Get hash	malicious	Browse	104.18.87.101
	Document1094680387_02012021.xls	Get hash	malicious	Browse	104.21.29.200
	Document1094680387_02012021.xls	Get hash	malicious	Browse	172.67.149.197
DYNDNSUS	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	131.186.113.70
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	purchase order.exe	Get hash	malicious	Browse	131.186.113.70
	9073782912,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	131.186.113.70
	purchase order 1.exe	Get hash	malicious	Browse	162.88.193.70
	telex transfer.exe	Get hash	malicious	Browse	162.88.193.70
	iAxkn PDF.exe	Get hash	malicious	Browse	216.146.43.71
	GPP.exe	Get hash	malicious	Browse	162.88.193.70
	DHL Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	216.146.43.70
	#11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	162.88.193.70
	Halkbank_Ekstre_20210222_082357_541079.exe	Get hash	malicious	Browse	131.186.113.70
	swift payment.doc	Get hash	malicious	Browse	162.88.193.70
	Order_C3350191107102300.exe	Get hash	malicious	Browse	131.186.113.70
	SecuriteInfo.com.Trojan.Inject4.6572.13919.exe	Get hash	malicious	Browse	216.146.43.70
	Order.exe	Get hash	malicious	Browse	162.88.193.70
	ORDER PURCHASE ITEMS.exe	Get hash	malicious	Browse	216.146.43.70
	Payment information 366531890544-2222021,pdf.exe	Get hash	malicious	Browse	131.186.113.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	104.21.19.200
	Yao Han Industries 61007-51333893QR001U,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	(appproved)WJO-TT180,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order.exe	Get hash	malicious	Browse	104.21.19.200
	9073782912,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	SOS URGENT RFQ #2345.exe	Get hash	malicious	Browse	104.21.19.200
	purchase order 1.exe	Get hash	malicious	Browse	104.21.19.200
	telex transfer.exe	Get hash	malicious	Browse	104.21.19.200
	GPP.exe	Get hash	malicious	Browse	104.21.19.200
	DHL Shipment Notification 6368638172.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	#11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Neue Bestellung_WJO-001, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Halkbank_Ekstre_20210222_082357_541079.exe	Get hash	malicious	Browse	104.21.19.200
	Order_C3350191107102300.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Inject4.6572.13919.exe	Get hash	malicious	Browse	104.21.19.200
	Order.exe	Get hash	malicious	Browse	104.21.19.200
	ORDER PURCHASE ITEMS.exe	Get hash	malicious	Browse	104.21.19.200
	Payment information 366531890544-2222021,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	MR52.vbs	Get hash	malicious	Browse	104.21.19.200
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOB offer_1164087223_I0133P2100363812.PDF.exe.log Download File
Process:	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.342604339328228
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4Kx1qE4qpE4Ks2wKDE4KhK3VZ9px
MD5:	34580C7C598E15B8A008C82FE6A07CDF
SHA1:	2C90E9B7F4AFFE8FC7F9C313B4B867DF5B96CAC1
SHA-256:	08246B9BE1C37F8977CE083319A9D34BE09C65B926CBA30A5E062D79D5A4F1D6
SHA-512:	D836A862804608C3A127BF0CD30ECFB428E682D5E73D90C4C2837F93F02F12307F242F47F3CBBD71249AA6E608AFE230527F2F7D306A35A681346F9DDFE9D820
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.330838112428835
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FOB offer_1164087223_I0133P2100363812.PDF.exe
File size:	3356672
MD5:	b10eafcd59bf5d8b5fcaea7175343da7
SHA1:	ba5b3ade8e66f73650eb50ec3ca78695e215e4e9
SHA256:	e2a36e86351414834625d38ab44ba38de9195a28ab9b4445696c98f80fef9e09
SHA512:	a2f30966dcd4e5f0ba8bd6f8bde00b3b0b5904a24ecd60a2e15c69bb73ddbc9b74c3a906400558958f41cc85bb6956f029261551ed3806828e27fd0aace8b556
SSDEEP:	12288:TCbYQjoiuJ3JMCfSprEeGn/gFqJnNnZyTMFF6+BAZnret/:TCbYQjoBJ3JMBrvGn/gFqJnOTU6+Gtr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!(b...............0...3..........L3.. ...`3...@.. ........................3...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x734cde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xA4622821 [Thu May 24 02:17:05 2057 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x334c8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x336000	0x5d6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x338000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x332ce4	0x332e00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x336000	0x5d6	0x600	False	0.417317708333	data	4.12380412335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x338000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3360a0	0x34c	data
RT_MANIFEST	0x3363ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	ScreenCapturer.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ScreenCapturer
ProductVersion	1.0.0.0
FileDescription	ScreenCapturer
OriginalFilename	ScreenCapturer.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:36:47.653973103 CET	49718	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:47.785650015 CET	80	49718	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:47.785963058 CET	49718	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:47.786459923 CET	49718	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:47.917717934 CET	80	49718	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:47.917745113 CET	80	49718	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:47.917757988 CET	80	49718	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:47.917845964 CET	49718	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:47.918896914 CET	49718	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.050234079 CET	80	49718	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:48.473274946 CET	49719	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.603620052 CET	80	49719	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:48.604887962 CET	49719	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.604917049 CET	49719	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.734757900 CET	80	49719	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:48.735183954 CET	80	49719	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:48.735203981 CET	80	49719	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:48.737428904 CET	49719	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.737974882 CET	49719	80	192.168.2.5	162.88.193.70
Feb 23, 2021 08:36:48.867687941 CET	80	49719	162.88.193.70	192.168.2.5
Feb 23, 2021 08:36:51.445343971 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:51.486318111 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.486443996 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:51.575974941 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:51.617038965 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.619297981 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.619322062 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.619399071 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:51.636622906 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:51.677665949 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.677731037 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:51.787316084 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:52.004380941 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:36:52.045336962 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:52.055479050 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:36:52.271676064 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:38:32.211450100 CET	49720	443	192.168.2.5	104.21.19.200
Feb 23, 2021 08:38:32.252652884 CET	443	49720	104.21.19.200	192.168.2.5
Feb 23, 2021 08:38:32.252806902 CET	49720	443	192.168.2.5	104.21.19.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:36:34.352915049 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:34.401505947 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:34.482239962 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:34.530970097 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:35.092433929 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:35.150553942 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:35.545433044 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:35.593908072 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:36.409924030 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:36.461545944 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:38.602375984 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:38.650939941 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:40.226308107 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:40.277834892 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:41.100189924 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:41.153681040 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:42.110230923 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:42.170021057 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:44.370172024 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:44.418952942 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:45.398272991 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:45.451570034 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:47.440604925 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:47.492157936 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:47.515018940 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:47.566571951 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:51.387927055 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:51.439770937 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 08:36:59.817301989 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:36:59.876332045 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:06.453500032 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:06.502176046 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:29.440562963 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:29.497395992 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:32.283868074 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:32.332545042 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:35.998430014 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:36.057640076 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:40.375140905 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:40.438473940 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 08:37:58.772171021 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:37:58.823683023 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 08:38:07.095153093 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:38:07.143791914 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 08:38:07.513964891 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:38:07.580950975 CET	53	58530	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:36:47.440604925 CET	192.168.2.5	8.8.8.8	0xf348	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.515018940 CET	192.168.2.5	8.8.8.8	0xbf6e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:51.387927055 CET	192.168.2.5	8.8.8.8	0x34d8	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.492157936 CET	8.8.8.8	192.168.2.5	0xf348	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:47.566571951 CET	8.8.8.8	192.168.2.5	0xbf6e	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:51.439770937 CET	8.8.8.8	192.168.2.5	0x34d8	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)
Feb 23, 2021 08:36:51.439770937 CET	8.8.8.8	192.168.2.5	0x34d8	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49718	162.88.193.70	80	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:36:47.786459923 CET	1215	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 23, 2021 08:36:47.917745113 CET	1216	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49719	162.88.193.70	80	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:36:48.604917049 CET	1216	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 23, 2021 08:36:48.735183954 CET	1217	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 23, 2021 08:36:51.619322062 CET	104.21.19.200	443	192.168.2.5	49720	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Feb 23, 2021 08:36:51.619322062 CET	104.21.19.200	443	192.168.2.5	49720	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6436 Parent PID: 5752

General

Start time:	08:36:41
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe'
Imagebase:	0xd10000
File size:	3356672 bytes
MD5 hash:	B10EAFCD59BF5D8B5FCAEA7175343DA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.240971373.0000000005439000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.235333402.00000000044A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.243473367.00000000063B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.239618557.0000000004EA9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: FOB offer_1164087223_I0133P2100363812.PDF.exe PID: 6484 Parent PID: 6436

General

Start time:	08:36:43
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\FOB offer_1164087223_I0133P2100363812.PDF.exe
Imagebase:	0x700000
File size:	3356672 bytes
MD5 hash:	B10EAFCD59BF5D8B5FCAEA7175343DA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.495602752.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.500175759.0000000002DCA000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report FOB offer_1164087223_I0133P2100363812.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Snake Keylogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets