Loading ...

Play interactive tourEdit tour

Analysis Report PO202100046.exe

Overview

General Information

Sample Name:PO202100046.exe
Analysis ID:356841
MD5:eafc433b4d4bf4a0edc9b57b6f4af8ec
SHA1:0ba21c1f4f908e589db07ce4003786e0e7bf62d9
SHA256:77ee17838c1ea6e3c69ec2989df485386800901ef0caac90e01fadbad225a354
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Binary contains a suspicious time stamp
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO202100046.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\PO202100046.exe' MD5: EAFC433B4D4BF4A0EDC9B57B6F4AF8EC)
    • PO202100046.exe (PID: 6988 cmdline: C:\Users\user\Desktop\PO202100046.exe MD5: EAFC433B4D4BF4A0EDC9B57B6F4AF8EC)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1556351268", "Telegram Token": "1591373451:AAH6Q2mvjdA9146Wl0khv2-kuh-iTps2zjw"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
          00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO202100046.exe.35ae570.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              0.2.PO202100046.exe.4a90000.8.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                0.2.PO202100046.exe.351bd40.5.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.PO202100046.exe.4a90000.8.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    0.2.PO202100046.exe.36a37b8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 9 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1556351268", "Telegram Token": "1591373451:AAH6Q2mvjdA9146Wl0khv2-kuh-iTps2zjw"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO202100046.exeVirustotal: Detection: 35%Perma Link
                      Source: PO202100046.exeReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: PO202100046.exeJoe Sandbox ML: detected
                      Source: 1.2.PO202100046.exe.400000.0.unpackAvira: Label: TR/Spy.Gen

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: PO202100046.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.6:49723 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: PO202100046.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: RunPE.pdb source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
                      Source: Joe Sandbox ViewIP Address: 172.67.188.154 172.67.188.154
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.6:49723 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB
                      Source: PO202100046.exe, 00000001.00000002.590354272.0000000002E56000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Om
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.c
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmp, PO202100046.exe, 00000001.00000002.590473674.0000000002E94000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: PO202100046.exe, 00000000.00000002.323550847.00000000006AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008683700_2_00868370
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_00869AB80_2_00869AB8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008665600_2_00866560
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008665700_2_00866570
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_00869AA80_2_00869AA8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F81301_2_012F8130
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012FB2301_2_012FB230
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F05881_2_012F0588
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F7B081_2_012F7B08
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F10411_2_012F1041
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F15581_2_012F1558
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F59601_2_012F5960
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06370EF81_2_06370EF8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063737F01_2_063737F0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06373FF01_2_06373FF0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063747F01_2_063747F0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06374FF01_2_06374FF0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637ABF81_2_0637ABF8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06371C501_2_06371C50
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063700401_2_06370040
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637F4D81_2_0637F4D8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637E9601_2_0637E960
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06370E981_2_06370E98
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063747931_2_06374793
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06373F911_2_06373F91
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06374F901_2_06374F90
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063737D31_2_063737D3
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063700061_2_06370006
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A8721_2_0637A872
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637F47B1_2_0637F47B
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063779301_2_06377930
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063900401_2_06390040
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063940D81_2_063940D8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063908281_2_06390828
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063948C01_2_063948C0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063929701_2_06392970
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063917F81_2_063917F8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063910101_2_06391010
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063931581_2_06393158
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06391FE01_2_06391FE0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063939401_2_06393940
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063907C81_2_063907C8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063900071_2_06390007
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063941281_2_06394128
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06390FB11_2_06390FB1
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063948B01_2_063948B0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063929111_2_06392911
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063917991_2_06391799
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063930F81_2_063930F8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06391F811_2_06391F81
                      Source: PO202100046.exeBinary or memory string: OriginalFilename vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpBinary or memory string: OriginalFilename6D0VQXBZ.exe4 vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PO202100046.exe
                      Source: PO202100046.exeBinary or memory string: OriginalFilename vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.589473933.0000000000F4A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.588913424.0000000000CF6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename6D0VQXBZ.exe4 vs PO202100046.exe
                      Source: PO202100046.exeBinary or memory string: OriginalFilenameScreenCapturer.exe> vs PO202100046.exe
                      Source: PO202100046.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO202100046.exe, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.PO202100046.exe.40000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.PO202100046.exe.40000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.PO202100046.exe.8b0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.PO202100046.exe.8b0000.1.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\PO202100046.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO202100046.exe.logJump to behavior
                      Source: PO202100046.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO202100046.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PO202100046.exeVirustotal: Detection: 35%
                      Source: PO202100046.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO202100046.exe 'C:\Users\user\Desktop\PO202100046.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exe
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO202100046.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO202100046.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637B601 push es; iretd 1_2_0637B604
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A76D push es; retf 1_2_0637A870
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A83B push es; retf 1_2_0637A870
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637BC05 push 8B000003h; iretd 1_2_0637BC0C
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637B507 push es; ret 1_2_0637B600
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98391026128
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\PO202100046.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06371C50 LdrInitializeThunk,KiUserExceptionDispatcher,1_2_06371C50
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exeJump to behavior
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Users\user\Desktop\PO202100046.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Users\user\Desktop\PO202100046.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2Input Capture1Virtualization/Sandbox Evasion2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSRemote System Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferApplication Layer Protocol