Windows Analysis Report o6U6dMCbP3.exe

Overview

General Information

Sample Name: o6U6dMCbP3.exe
Analysis ID: 491941
MD5: 905f74fb158b50341e6dc710a60dad37
SHA1: b54645bb347a4c76d73f2ff0e46aa4bd9b010ae0
SHA256: e2be9c91435869a3115459dccf4bd7f39c7da19e2b8ef43979b6a234c6c73335
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "Light1988@", "FTP Username": "ftp://ftp.servicoscisi.shop", "FTP Password": "snaky@servicoscisi.shop"}
Multi AV Scanner detection for submitted file
Source: o6U6dMCbP3.exe Virustotal: Detection: 63% Perma Link
Source: o6U6dMCbP3.exe ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: o6U6dMCbP3.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen

Compliance:

barindex
Uses 32bit PE files
Source: o6U6dMCbP3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49753 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49756 version: TLS 1.0
Source: o6U6dMCbP3.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ediskcz.pdb source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp
Source: Binary string: c:\Users\Administrator\Desktop\scanned.pdbdB~B pB_CorExeMainmscoree.dll source: o6U6dMCbP3.exe
Source: Binary string: ediskcz.pdbh; source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp
Source: Binary string: c:\Users\Administrator\Desktop\scanned.pdb source: o6U6dMCbP3.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Code function: 4x nop then jmp 00007FFA36470B86h 0_2_00007FFA364624C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 02D2F508h 6_2_02D2EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 02D2F969h 6_2_02D2F6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_02D2E040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_02D2E673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_02D2E854

Networking:

barindex
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe DNS query: name: checkip.dyndns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/889615282304352289/890378116634144818/MMCHIA.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/889935662827044904/889981640498090054/runpe.pdf HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.39 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.19.200 104.21.19.200
Source: Joe Sandbox View IP Address: 104.21.19.200 104.21.19.200
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49753 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49756 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000006.00000002.941866904.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: o6U6dMCbP3.exe, 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000006.00000002.941937571.0000000002F3C000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org4
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgD8
Source: o6U6dMCbP3.exe, 00000000.00000002.704200788.000000001C190000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.941969963.0000000002F69000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: o6U6dMCbP3.exe, 00000000.00000002.700829793.0000000003191000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.941866904.0000000002EA1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: o6U6dMCbP3.exe, 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: o6U6dMCbP3.exe, 00000000.00000002.700829793.0000000003191000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: o6U6dMCbP3.exe String found in binary or memory: https://cdn.discordapp.com/attachments/889615282304352289/890378116634144818/MMCHIA.exe
Source: o6U6dMCbP3.exe, 00000000.00000002.700897776.00000000031EA000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/889935662827044904/889981640498090054/runpe.pdf
Source: o6U6dMCbP3.exe, 00000000.00000002.700869693.00000000031CF000.00000004.00000001.sdmp, o6U6dMCbP3.exe, 00000000.00000002.700907077.0000000003232000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/default_product_name
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: o6U6dMCbP3.exe, 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.39
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.39x
Source: RegAsm.exe, 00000006.00000002.941954661.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app4
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/889615282304352289/890378116634144818/MMCHIA.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/889935662827044904/889981640498090054/runpe.pdf HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.39 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Uses 32bit PE files
Source: o6U6dMCbP3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D286B0 6_2_02D286B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D24B88 6_2_02D24B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2EB20 6_2_02D2EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D25300 6_2_02D25300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2F6A8 6_2_02D2F6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D23578 6_2_02D23578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D258D8 6_2_02D258D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D27F00 6_2_02D27F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2E040 6_2_02D2E040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2E032 6_2_02D2E032
Sample file is different than original file name gathered from version info
Source: o6U6dMCbP3.exe, 00000000.00000002.700414448.0000000001329000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs o6U6dMCbP3.exe
Source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameediskcz.dll0 vs o6U6dMCbP3.exe
Source: o6U6dMCbP3.exe, 00000000.00000002.700893163.00000000031E6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs o6U6dMCbP3.exe
Source: o6U6dMCbP3.exe, 00000000.00000000.675551195.0000000000F36000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamescanned.exe4 vs o6U6dMCbP3.exe
Source: o6U6dMCbP3.exe Binary or memory string: OriginalFilenamescanned.exe4 vs o6U6dMCbP3.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: o6U6dMCbP3.exe Virustotal: Detection: 63%
Source: o6U6dMCbP3.exe ReversingLabs: Detection: 75%
Source: o6U6dMCbP3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\o6U6dMCbP3.exe 'C:\Users\user\Desktop\o6U6dMCbP3.exe'
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\o6U6dMCbP3.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/1@4/4
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
Source: 6.2.RegAsm.exe.400000.0.unpack, u0306???u05c3/u0300????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 6.2.RegAsm.exe.400000.0.unpack, ??ufffd??/ufffdu05c3???.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: o6U6dMCbP3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: o6U6dMCbP3.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: o6U6dMCbP3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ediskcz.pdb source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp
Source: Binary string: c:\Users\Administrator\Desktop\scanned.pdbdB~B pB_CorExeMainmscoree.dll source: o6U6dMCbP3.exe
Source: Binary string: ediskcz.pdbh; source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp
Source: Binary string: c:\Users\Administrator\Desktop\scanned.pdb source: o6U6dMCbP3.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: o6U6dMCbP3.exe, Form.cs .Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.o6U6dMCbP3.exe.f30000.0.unpack, Form.cs .Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.o6U6dMCbP3.exe.f30000.0.unpack, Form.cs .Net Code: RawForm System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2DCE8 pushad ; iretd 6_2_02D2DCE9
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe TID: 6944 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe TID: 6924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: o6U6dMCbP3.exe, 00000000.00000003.686961440.00000000013D4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO^
Source: o6U6dMCbP3.exe, 00000000.00000002.700719222.00000000030B0000.00000004.00020000.sdmp Binary or memory string: e48cvMCi6f

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_02D2EB20 LdrInitializeThunk, 6_2_02D2EB20
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C52008 Jump to behavior
.NET source code references suspicious native API functions
Source: 6.2.RegAsm.exe.400000.0.unpack, ??ufffd??/ufffdu05c3???.cs Reference to suspicious API methods: ('??R??', 'MapVirtualKey@user32.dll')
Source: 6.2.RegAsm.exe.400000.0.unpack, ???ufffd?/ufffdu26ca?ufffd?.cs Reference to suspicious API methods: ('??K??', 'GetProcAddress@kernel32'), ('??Z??', 'LoadLibrary@kernel32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: RegAsm.exe, 00000006.00000002.941544941.0000000001580000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.941544941.0000000001580000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.941544941.0000000001580000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000006.00000002.941544941.0000000001580000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Queries volume information: C:\Users\user\Desktop\o6U6dMCbP3.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o6U6dMCbP3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703580677.00000000131C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703844022.0000000013241000.00000004.00000001.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703580677.00000000131C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703844022.0000000013241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: o6U6dMCbP3.exe PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3416, type: MEMORYSTR
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703580677.00000000131C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703844022.0000000013241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: o6U6dMCbP3.exe PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3416, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703580677.00000000131C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703844022.0000000013241000.00000004.00000001.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.132416d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.o6U6dMCbP3.exe.131c1a28.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.703519313.00000000131A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703580677.00000000131C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.941088589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.703844022.0000000013241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: o6U6dMCbP3.exe PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3416, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs