Edit tour

Windows Analysis Report
New order _xls.exe

Overview

General Information

Sample Name:	New order _xls.exe
Analysis ID:	608573
MD5:	5f879e53e945fe24f8885774f36d4b1f
SHA1:	04876d8b3b65590d2067e8e52cbf555d2763ace4
SHA256:	5fc33b3fda224e85ca520da99c6caed5bcfef8e0e29636df90b2ff4ca16a9abd
Tags:	exesnakekeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

New order _xls.exe (PID: 5564 cmdline: "C:\Users\user\Desktop\New order _xls.exe" MD5: 5F879E53E945FE24F8885774F36D4B1F)

New order _xls.exe (PID: 4392 cmdline: C:\Users\user\Desktop\New order _xls.exe MD5: 5F879E53E945FE24F8885774F36D4B1F)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "l0gs.l@yandex.com", "Telegram ID": "333bukis"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2106e:$x1: $%SMTPDV$ 0x51e8e:$x1: $%SMTPDV$ 0x1fcae:$x2: $#TheHashHere%& 0x50ace:$x2: $#TheHashHere%& 0x21016:$x3: %FTPDV$ 0x51e36:$x3: %FTPDV$ 0x1fc90:$x4: $%TelegramDv$ 0x50ab0:$x4: $%TelegramDv$ 0x1d6dc:$x5: KeyLoggerEventArgs 0x1da6c:$x5: KeyLoggerEventArgs 0x4e4fc:$x5: KeyLoggerEventArgs 0x4e88c:$x5: KeyLoggerEventArgs 0x2109a:$m1: \| Snake Keylogger 0x21140:$m1: \| Snake Keylogger 0x21294:$m1: \| Snake Keylogger 0x213ba:$m1: \| Snake Keylogger 0x21514:$m1: \| Snake Keylogger 0x51eba:$m1: \| Snake Keylogger 0x51f60:$m1: \| Snake Keylogger 0x520b4:$m1: \| Snake Keylogger 0x521da:$m1: \| Snake Keylogger
00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18eae:$x1: $%SMTPDV$ 0x17aee:$x2: $#TheHashHere%& 0x18e56:$x3: %FTPDV$ 0x17ad0:$x4: $%TelegramDv$ 0x1551c:$x5: KeyLoggerEventArgs 0x158ac:$x5: KeyLoggerEventArgs 0x18eda:$m1: \| Snake Keylogger 0x18f80:$m1: \| Snake Keylogger 0x190d4:$m1: \| Snake Keylogger 0x191fa:$m1: \| Snake Keylogger 0x19354:$m1: \| Snake Keylogger 0x18e7a:$m2: Clipboard Logs ID 0x1908a:$m2: Screenshot Logs ID 0x1919e:$m2: keystroke Logs ID 0x1938a:$m3: SnakePW 0x19062:$m4: \SnakeKeylogger\
00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1873e:$x1: $%SMTPDV$ 0x1737e:$x2: $#TheHashHere%& 0x186e6:$x3: %FTPDV$ 0x17360:$x4: $%TelegramDv$ 0x14dac:$x5: KeyLoggerEventArgs 0x1513c:$x5: KeyLoggerEventArgs 0x1876a:$m1: \| Snake Keylogger 0x18810:$m1: \| Snake Keylogger 0x18964:$m1: \| Snake Keylogger 0x18a8a:$m1: \| Snake Keylogger 0x18be4:$m1: \| Snake Keylogger 0x1870a:$m2: Clipboard Logs ID 0x1891a:$m2: Screenshot Logs ID 0x18a2e:$m2: keystroke Logs ID 0x18c1a:$m3: SnakePW 0x188f2:$m4: \SnakeKeylogger\
Process Memory Space: New order _xls.exe PID: 5564	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: New order _xls.exe PID: 5564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New order _xls.exe PID: 5564	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xc7aea:$x5: KeyLoggerEventArgs 0xc7e7a:$x5: KeyLoggerEventArgs 0xc8452:$x5: KeyLoggerEventArgs 0xc87ad:$x5: KeyLoggerEventArgs 0x15c0a3:$x5: KeyLoggerEventArgs 0x15c433:$x5: KeyLoggerEventArgs 0x15ca0b:$x5: KeyLoggerEventArgs 0x15cd66:$x5: KeyLoggerEventArgs 0xc9ff2:$m1: \| Snake Keylogger 0xca041:$m1: \| Snake Keylogger 0xca0d5:$m1: \| Snake Keylogger 0xca136:$m1: \| Snake Keylogger 0xca1ab:$m1: \| Snake Keylogger 0x15e5ab:$m1: \| Snake Keylogger 0x15e5fa:$m1: \| Snake Keylogger 0x15e68e:$m1: \| Snake Keylogger 0x15e6ef:$m1: \| Snake Keylogger 0x15e764:$m1: \| Snake Keylogger 0xc9fc1:$m2: Clipboard Logs ID 0xca0b0:$m2: Screenshot Logs ID 0xca108:$m2: keystroke Logs ID
Process Memory Space: New order _xls.exe PID: 4392	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: New order _xls.exe PID: 4392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New order _xls.exe PID: 4392	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18e3d:$x5: KeyLoggerEventArgs 0x191cd:$x5: KeyLoggerEventArgs 0x197a5:$x5: KeyLoggerEventArgs 0x19b00:$x5: KeyLoggerEventArgs 0x1b345:$m1: \| Snake Keylogger 0x1b394:$m1: \| Snake Keylogger 0x1b428:$m1: \| Snake Keylogger 0x1b489:$m1: \| Snake Keylogger 0x1b4fe:$m1: \| Snake Keylogger 0x1b314:$m2: Clipboard Logs ID 0x1b403:$m2: Screenshot Logs ID 0x1b45b:$m2: keystroke Logs ID 0x1b519:$m3: SnakePW 0x1b3ef:$m4: \SnakeKeylogger\
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.New order _xls.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.12.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.0.New order _xls.exe.400000.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.New order _xls.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.0.New order _xls.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.0.New order _xls.exe.400000.12.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.New order _xls.exe.412a550.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1943e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18627:$a3: \Google\Chrome\User Data\Default\Login Data 0x18a6e:$a4: \Orbitum\User Data\Default\Login Data 0x19bef:$a5: \Kometa\User Data\Default\Login Data
0.2.New order _xls.exe.412a550.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.New order _xls.exe.412a550.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.New order _xls.exe.412a550.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New order _xls.exe.412a550.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12b24:$s1: UnHook 0x12b2b:$s2: SetHook 0x12b33:$s3: CallNextHook 0x12b40:$s4: _hook
0.2.New order _xls.exe.412a550.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16b3e:$x1: $%SMTPDV$ 0x1577e:$x2: $#TheHashHere%& 0x16ae6:$x3: %FTPDV$ 0x15760:$x4: $%TelegramDv$ 0x131ac:$x5: KeyLoggerEventArgs 0x1353c:$x5: KeyLoggerEventArgs 0x16b6a:$m1: \| Snake Keylogger 0x16c10:$m1: \| Snake Keylogger 0x16d64:$m1: \| Snake Keylogger 0x16e8a:$m1: \| Snake Keylogger 0x16fe4:$m1: \| Snake Keylogger 0x16b0a:$m2: Clipboard Logs ID 0x16d1a:$m2: Screenshot Logs ID 0x16e2e:$m2: keystroke Logs ID 0x1701a:$m3: SnakePW 0x16cf2:$m4: \SnakeKeylogger\
7.0.New order _xls.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.0.New order _xls.exe.400000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.New order _xls.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.0.New order _xls.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.0.New order _xls.exe.400000.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
7.0.New order _xls.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.0.New order _xls.exe.400000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.New order _xls.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.0.New order _xls.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.0.New order _xls.exe.400000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
7.0.New order _xls.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.0.New order _xls.exe.400000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.New order _xls.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New order _xls.exe.4152570.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1943e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18627:$a3: \Google\Chrome\User Data\Default\Login Data 0x18a6e:$a4: \Orbitum\User Data\Default\Login Data 0x19bef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
0.2.New order _xls.exe.412a550.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.0.New order _xls.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.0.New order _xls.exe.400000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
7.0.New order _xls.exe.400000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.0.New order _xls.exe.400000.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.New order _xls.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.0.New order _xls.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.0.New order _xls.exe.400000.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.New order _xls.exe.412a550.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.New order _xls.exe.412a550.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.New order _xls.exe.4152570.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.New order _xls.exe.4152570.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.New order _xls.exe.4152570.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New order _xls.exe.412a550.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New order _xls.exe.4152570.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12b24:$s1: UnHook 0x12b2b:$s2: SetHook 0x12b33:$s3: CallNextHook 0x12b40:$s4: _hook
0.2.New order _xls.exe.412a550.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
0.2.New order _xls.exe.412a550.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.New order _xls.exe.4152570.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16b3e:$x1: $%SMTPDV$ 0x1577e:$x2: $#TheHashHere%& 0x16ae6:$x3: %FTPDV$ 0x15760:$x4: $%TelegramDv$ 0x131ac:$x5: KeyLoggerEventArgs 0x1353c:$x5: KeyLoggerEventArgs 0x16b6a:$m1: \| Snake Keylogger 0x16c10:$m1: \| Snake Keylogger 0x16d64:$m1: \| Snake Keylogger 0x16e8a:$m1: \| Snake Keylogger 0x16fe4:$m1: \| Snake Keylogger 0x16b0a:$m2: Clipboard Logs ID 0x16d1a:$m2: Screenshot Logs ID 0x16e2e:$m2: keystroke Logs ID 0x1701a:$m3: SnakePW 0x16cf2:$m4: \SnakeKeylogger\
7.2.New order _xls.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b23e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a427:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a86e:$a4: \Orbitum\User Data\Default\Login Data 0x1b9ef:$a5: \Kometa\User Data\Default\Login Data
7.2.New order _xls.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.2.New order _xls.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.New order _xls.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.New order _xls.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
7.2.New order _xls.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
0.2.New order _xls.exe.4152570.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.New order _xls.exe.4152570.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.New order _xls.exe.4152570.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New order _xls.exe.4152570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14924:$s1: UnHook 0x1492b:$s2: SetHook 0x14933:$s3: CallNextHook 0x14940:$s4: _hook
0.2.New order _xls.exe.4152570.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1893e:$x1: $%SMTPDV$ 0x1757e:$x2: $#TheHashHere%& 0x188e6:$x3: %FTPDV$ 0x17560:$x4: $%TelegramDv$ 0x14fac:$x5: KeyLoggerEventArgs 0x1533c:$x5: KeyLoggerEventArgs 0x1896a:$m1: \| Snake Keylogger 0x18a10:$m1: \| Snake Keylogger 0x18b64:$m1: \| Snake Keylogger 0x18c8a:$m1: \| Snake Keylogger 0x18de4:$m1: \| Snake Keylogger 0x1890a:$m2: Clipboard Logs ID 0x18b1a:$m2: Screenshot Logs ID 0x18c2e:$m2: keystroke Logs ID 0x18e1a:$m3: SnakePW 0x18af2:$m4: \SnakeKeylogger\
Click to see the 54 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\Desktop\New order _xls.exe, QueryName: checkip.dyndns.org

Source: Process started

Author: frack113: Data: Command: C:\Users\user\Desktop\New order _xls.exe, CommandLine: C:\Users\user\Desktop\New order _xls.exe, CommandLine|base64offset|contains: ^, Image: C:\Users\user\Desktop\New order _xls.exe, NewProcessName: C:\Users\user\Desktop\New order _xls.exe, OriginalFileName: C:\Users\user\Desktop\New order _xls.exe, ParentCommandLine: "C:\Users\user\Desktop\New order _xls.exe" , ParentImage: C:\Users\user\Desktop\New order _xls.exe, ParentProcessId: 5564, ParentProcessName: New order _xls.exe, ProcessCommandLine: C:\Users\user\Desktop\New order _xls.exe, ProcessId: 4392, ProcessName: New order _xls.exe

Snort Signatures

ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) - Source IP: 45.137.22.163 - Destination IP: 192.168.2.7

Timestamp:	04/13/22-11:59:35.602866
SID:	2848901
Source Port:	80
Destination Port:	49752
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.7 - Destination IP: 132.226.8.169

Timestamp:	04/13/22-11:59:51.203741
SID:	2842536
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.0.New order _xls.exe.400000.12.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "l0gs.l@yandex.com", "Telegram ID": "333bukis"}

Multi AV Scanner detection for submitted file

Source: New order _xls.exe	Virustotal: Detection: 21%			Perma Link
Source: New order _xls.exe	ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: New order _xls.exe

Joe Sandbox ML: detected

Source: 7.0.New order _xls.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 7.0.New order _xls.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 7.0.New order _xls.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 7.0.New order _xls.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 7.0.New order _xls.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 7.2.New order _xls.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Source: New order _xls.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: unknown

HTTPS traffic detected: 188.114.96.7:443 -> 192.168.2.7:49761 version: TLS 1.0

Source: New order _xls.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACE43Fh	7_2_00ACE19A
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACCBC0h	7_2_00ACC1D7
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACD5E8h	7_2_00ACD1D0
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACE89Fh	7_2_00ACE5E2
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACECFFh	7_2_00ACEA40
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACDFDFh	7_2_00ACDD06
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACD021h	7_2_00ACCD60
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACF15Fh	7_2_00ACEEBA
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then jmp 00ACD5E8h	7_2_00ACD516
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_00ACB6F8
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_00ACBD2B
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_00ACBF0C

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 45.137.22.163:80 -> 192.168.2.7:49752
Source: Traffic	Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.7:49759 -> 132.226.8.169:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\New order _xls.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\New order _xls.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\New order _xls.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\New order _xls.exe	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View	ASN Name: UTMEMUS UTMEMUS
Source: Joe Sandbox View	ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET /xml/84.17.52.15 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /New_order__xls_Ivuuoipf.bmp HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: unknown

HTTPS traffic detected: 188.114.96.7:443 -> 192.168.2.7:49761 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163

Source: New order _xls.exe, 00000000.00000002.453742595.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163
Source: New order _xls.exe	String found in binary or memory: http://45.137.22.163/New_order__xls_Ivuuoipf.bmp
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: New order _xls.exe, 00000007.00000002.619183695.0000000002875000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: New order _xls.exe, 00000007.00000002.619113120.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: New order _xls.exe, 00000007.00000002.619183695.0000000002875000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4hk
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8hk
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New order _xls.exe, 00000007.00000002.619246346.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: New order _xls.exe, 00000000.00000002.453742595.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619113120.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: New order _xls.exe, 00000000.00000003.356761484.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comi
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.15
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.15x
Source: New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app4hk
Source: New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /xml/84.17.52.15 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /New_order__xls_Ivuuoipf.bmp HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: New order _xls.exe PID: 5564, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: New order _xls.exe PID: 4392, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New order _xls.exe

Source: New order _xls.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: New order _xls.exe PID: 5564, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: New order _xls.exe PID: 4392, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_0164E4E4	0_2_0164E4E4
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_0563A1E0	0_2_0563A1E0
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_0563E3A8	0_2_0563E3A8
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACE19A	7_2_00ACE19A
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACC1D7	7_2_00ACC1D7
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC5305	7_2_00AC5305
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC35A0	7_2_00AC35A0
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACE5E2	7_2_00ACE5E2
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC86B0	7_2_00AC86B0
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACD660	7_2_00ACD660
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACEA40	7_2_00ACEA40
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC4B98	7_2_00AC4B98
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACDD06	7_2_00ACDD06
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACCD60	7_2_00ACCD60
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACEEBA	7_2_00ACEEBA
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC3590	7_2_00AC3590
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACB6FD	7_2_00ACB6FD
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACB6F8	7_2_00ACB6F8
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00ACD650	7_2_00ACD650
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00AC2C31	7_2_00AC2C31

Source: New order _xls.exe	Binary or memory string: OriginalFilename vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000003.445426278.0000000004859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKldzkmgtxbhkxzxjpsha.dll" vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000003.444746874.00000000044D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKldzkmgtxbhkxzxjpsha.dll" vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs New order _xls.exe
Source: New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs New order _xls.exe
Source: New order _xls.exe	Binary or memory string: OriginalFilename vs New order _xls.exe
Source: New order _xls.exe, 00000007.00000000.450208562.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiJMJnUDAnLMGBkvrphkwZ.exeL vs New order _xls.exe
Source: New order _xls.exe, 00000007.00000002.615967004.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New order _xls.exe

Source: New order _xls.exe	Virustotal: Detection: 21%
Source: New order _xls.exe	ReversingLabs: Detection: 23%

Source: New order _xls.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New order _xls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New order _xls.exe "C:\Users\user\Desktop\New order _xls.exe"
Source: C:\Users\user\Desktop\New order _xls.exe	Process created: C:\Users\user\Desktop\New order _xls.exe C:\Users\user\Desktop\New order _xls.exe
Source: C:\Users\user\Desktop\New order _xls.exe	Process created: C:\Users\user\Desktop\New order _xls.exe C:\Users\user\Desktop\New order _xls.exe	Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New order _xls.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/4

Source: C:\Users\user\Desktop\New order _xls.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 7.0.New order _xls.exe.400000.12.unpack, A?u05c9t?/uf0b9????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.12.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.6.unpack, A?u05c9t?/uf0b9????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.6.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.10.unpack, A?u05c9t?/uf0b9????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.10.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.New order _xls.exe.400000.4.unpack, A?u05c9t?/uf0b9????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\New order _xls.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New order _xls.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New order _xls.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains potential unpacker

Source: New order _xls.exe, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.New order _xls.exe.cd0000.0.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.New order _xls.exe.cd0000.0.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.2.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.0.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.11.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.13.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.1.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.New order _xls.exe.470000.1.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.9.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.3.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.New order _xls.exe.470000.7.unpack, Mhsgz/Task.cs	.Net Code: StartCallback System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_00CD5EC8 push cs; retf	0_2_00CD5F0A
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_0164710C push B9D2F719h; ret	0_2_01647112
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 0_2_05632512 push ecx; ret	0_2_05632525
Source: C:\Users\user\Desktop\New order _xls.exe	Code function: 7_2_00475EC8 push cs; retf	7_2_00475F0A

Source: New order _xls.exe

Static PE information: 0xFE96AEA1 [Sat May 9 04:52:49 2105 UTC]

Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe TID: 5704	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe TID: 4616	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Window / User API: threadDelayed 997

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: New order _xls.exe, 00000000.00000002.452547320.0000000001376000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt

Source: C:\Users\user\Desktop\New order _xls.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Code function: 7_2_00ACC1D7 LdrInitializeThunk,

7_2_00ACC1D7

Source: C:\Users\user\Desktop\New order _xls.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7.0.New order _xls.exe.400000.12.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.0.New order _xls.exe.400000.12.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 7.0.New order _xls.exe.400000.6.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.0.New order _xls.exe.400000.6.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 7.0.New order _xls.exe.400000.10.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.0.New order _xls.exe.400000.10.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 7.0.New order _xls.exe.400000.4.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.0.New order _xls.exe.400000.4.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 7.0.New order _xls.exe.400000.8.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.0.New order _xls.exe.400000.8.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 7.2.New order _xls.exe.400000.0.unpack, ufffd?ufffdu002d?/??O?ufffd.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 7.2.New order _xls.exe.400000.0.unpack, ?k??u0026/u05c1????.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New order _xls.exe

Memory written: C:\Users\user\Desktop\New order _xls.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Process created: C:\Users\user\Desktop\New order _xls.exe C:\Users\user\Desktop\New order _xls.exe

Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Users\user\Desktop\New order _xls.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Users\user\Desktop\New order _xls.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\New order _xls.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 4392, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\New order _xls.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\New order _xls.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\New order _xls.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\New order _xls.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 4392, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.0.New order _xls.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.New order _xls.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.412a550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.New order _xls.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New order _xls.exe.4152570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450601885.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.449422704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.615746476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.450178812.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: New order _xls.exe PID: 4392, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New order _xls.exe	21%	Virustotal		Browse
New order _xls.exe	24%	ReversingLabs	Win32.Trojan.Injuke
New order _xls.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.New order _xls.exe.400000.12.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
7.0.New order _xls.exe.400000.6.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
7.0.New order _xls.exe.400000.10.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
7.0.New order _xls.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
7.0.New order _xls.exe.400000.8.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
7.2.New order _xls.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

Source	Detection	Scanner	Link
freegeoip.app	1%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org4hk	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.orgD8hk	0%	Avira URL Cloud	safe
http://45.137.22.163/New_order__xls_Ivuuoipf.bmp	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.15x	0%	Avira URL Cloud	safe
https://freegeoip.app4hk	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.15	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://45.137.22.163	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.tiro.comi	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	188.114.96.7	true	false	1%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.163/New_order__xls_Ivuuoipf.bmp	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown
https://freegeoip.app/xml/84.17.52.15	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org4hk	New order _xls.exe, 00000007.00000002.619183695.0000000002875000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
https://freegeoip.app	New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	New order _xls.exe, 00000007.00000002.619183695.0000000002875000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgD8hk	New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
https://freegeoip.app/xml/84.17.52.15x	New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app4hk	New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/2152978/23354rCannot	New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	New order _xls.exe, 00000000.00000002.453837915.0000000003129000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454179425.000000000327C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	New order _xls.exe, 00000000.00000002.454540552.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000000.00000002.454683780.0000000004152000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000000.449813822.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.137.22.163	New order _xls.exe, 00000000.00000002.453742595.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	New order _xls.exe, 00000007.00000002.619217466.0000000002884000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comi	New order _xls.exe, 00000000.00000003.356761484.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	New order _xls.exe, 00000000.00000002.453742595.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, New order _xls.exe, 00000007.00000002.619113120.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	New order _xls.exe, 00000000.00000002.456027589.0000000007172000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://freegeoip.app	New order _xls.exe, 00000007.00000002.619246346.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	true
45.137.22.163	unknown	Netherlands	51447	ROOTLAYERNETNL	true
188.114.96.7	freegeoip.app	European Union	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	608573
Start date and time: 13/04/202211:57:44	2022-04-13 11:57:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	New order _xls.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 88% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:59:43	API Interceptor	1x Sleep call for process: New order _xls.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
132.226.8.169	LKlxOcLiVTpxUWt.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ZHOU0422.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	img-000.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Bahon Ltd Inquiry#20220412.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Products Inquiries.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO_28001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INVOICE.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Swift Copy.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Ref-04122022115609.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Invoice Number.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	03456789098765432234567890987654.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Dekont pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	23456789-09876543234567890987654508.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	30000388277732_20220411,XLSX.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	YC2n8AZBXs.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	qC5oUnMzhtYvHPc.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	31.03.2022-08.04.2022_1188- 0082919_Hesap #U00d6zeti.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Product Inquiries.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	GsEbO50nba6sa6B.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Products Inquries.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	LKlxOcLiVTpxUWt.exe	Get hash	malicious	Browse	132.226.8.169
	Document.exe	Get hash	malicious	Browse	158.101.44.242
	payment.exe	Get hash	malicious	Browse	193.122.6.168
	QOUTATION.exe	Get hash	malicious	Browse	193.122.6.168
	PvpMYYhfJl.exe	Get hash	malicious	Browse	193.122.130.0
	PO_287104.exe	Get hash	malicious	Browse	193.122.130.0
	Lista de Precios Isover - Distribuidores 13.04.2022.exe	Get hash	malicious	Browse	193.122.130.0
	Order Purchase.exe	Get hash	malicious	Browse	193.122.130.0
	CONTRACT 1.0.2.exe	Get hash	malicious	Browse	193.122.6.168
	SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exe	Get hash	malicious	Browse	158.101.44.242
	order confirmation 46574 -QT-04-0022.exe	Get hash	malicious	Browse	193.122.6.168
	Revised Proforma Invoice.exe	Get hash	malicious	Browse	193.122.6.168
	ZHOU0422.exe	Get hash	malicious	Browse	132.226.8.169
	img-000.exe	Get hash	malicious	Browse	132.226.8.169
	Bahon Ltd Inquiry#20220412.exe	Get hash	malicious	Browse	193.122.6.168
	KW05200000032220.exe	Get hash	malicious	Browse	193.122.6.168
	Products Inquiries.exe	Get hash	malicious	Browse	132.226.8.169
	jRzSg8vuKb.exe	Get hash	malicious	Browse	193.122.130.0
	DhETQ6889l.exe	Get hash	malicious	Browse	193.122.130.0
	PO_28001.exe	Get hash	malicious	Browse	132.226.8.169
freegeoip.app	LKlxOcLiVTpxUWt.exe	Get hash	malicious	Browse	188.114.96.7
	Document.exe	Get hash	malicious	Browse	188.114.96.7
	payment.exe	Get hash	malicious	Browse	188.114.96.7
	QOUTATION.exe	Get hash	malicious	Browse	188.114.96.7
	PO_287104.exe	Get hash	malicious	Browse	188.114.96.7
	Lista de Precios Isover - Distribuidores 13.04.2022.exe	Get hash	malicious	Browse	188.114.97.7
	Order Purchase.exe	Get hash	malicious	Browse	188.114.97.7
	SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exe	Get hash	malicious	Browse	188.114.97.7
	order confirmation 46574 -QT-04-0022.exe	Get hash	malicious	Browse	188.114.97.7
	Revised Proforma Invoice.exe	Get hash	malicious	Browse	188.114.96.7
	ZHOU0422.exe	Get hash	malicious	Browse	188.114.97.7
	img-000.exe	Get hash	malicious	Browse	188.114.97.7
	Bahon Ltd Inquiry#20220412.exe	Get hash	malicious	Browse	188.114.96.7
	KW05200000032220.exe	Get hash	malicious	Browse	188.114.96.7
	Products Inquiries.exe	Get hash	malicious	Browse	188.114.97.7
	jRzSg8vuKb.exe	Get hash	malicious	Browse	188.114.96.7
	DhETQ6889l.exe	Get hash	malicious	Browse	188.114.96.7
	PO_28001.exe	Get hash	malicious	Browse	188.114.96.7
	Halkbank001.exe	Get hash	malicious	Browse	188.114.96.7
	INVOICE.exe	Get hash	malicious	Browse	188.114.96.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UTMEMUS	LKlxOcLiVTpxUWt.exe	Get hash	malicious	Browse	132.226.8.169
	ZHOU0422.exe	Get hash	malicious	Browse	132.226.8.169
	img-000.exe	Get hash	malicious	Browse	132.226.8.169
	Products Inquiries.exe	Get hash	malicious	Browse	132.226.8.169
	PO_28001.exe	Get hash	malicious	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	Browse	132.226.8.169
	Fl5JugGjR8.exe	Get hash	malicious	Browse	132.226.247.73
	Swift Copy.exe	Get hash	malicious	Browse	132.226.8.169
	Ref-04122022115609.exe	Get hash	malicious	Browse	132.226.8.169
	Phosphoric AcidPR 120006486PO 120008190.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	hesaphareketi-01.exe	Get hash	malicious	Browse	132.226.247.73
	FYI.exe	Get hash	malicious	Browse	132.226.247.73
	Purchase Order PO-33908.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	Invoice Number.exe	Get hash	malicious	Browse	132.226.8.169
	PFA_official _PO.exe	Get hash	malicious	Browse	132.226.247.73
	03456789098765432234567890987654.exe	Get hash	malicious	Browse	132.226.8.169
	Dekont pdf.exe	Get hash	malicious	Browse	132.226.8.169
	23456789-09876543234567890987654508.exe	Get hash	malicious	Browse	132.226.8.169
	All product list.exe	Get hash	malicious	Browse	132.226.247.73
	RFQ110.exe	Get hash	malicious	Browse	132.226.247.73
ROOTLAYERNETNL	SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exe	Get hash	malicious	Browse	45.137.22.163
	order confirmation 46574 -QT-04-0022.exe	Get hash	malicious	Browse	45.137.22.163
	SecuriteInfo.com.Variant.Strictor.270970.1301.exe	Get hash	malicious	Browse	185.222.57.199
	OPOLTRANS 112022.docx	Get hash	malicious	Browse	45.137.22.41
	Quotation-pdf______________________________________.exe	Get hash	malicious	Browse	45.137.22.163
	2467864 _INV_pdf.exe	Get hash	malicious	Browse	45.137.22.163
	conferma d'ordine 46574.exe	Get hash	malicious	Browse	45.137.22.163
	factura proforma PI- PI04522 7486.exe	Get hash	malicious	Browse	45.137.22.163
	PI- PI04522 74868.exe	Get hash	malicious	Browse	45.137.22.163
	jDEnPXUI8C.exe	Get hash	malicious	Browse	185.222.57.203
	gtrrrewre.vbs	Get hash	malicious	Browse	185.222.57.209
	Datos bancarios.pdf.exe	Get hash	malicious	Browse	185.222.57.182
	paymentcopy-pdf__________________________________.exe	Get hash	malicious	Browse	45.137.22.163
	Paymentcopy-pdf___________________________________.exe	Get hash	malicious	Browse	45.137.22.163
	Quote_PDF_Quotation AKPI 04-04-22,pdf.exe	Get hash	malicious	Browse	45.137.22.122
	AIR CARGO BOARDING shipment MAWB 40608657504.exe	Get hash	malicious	Browse	45.137.22.163
	VAE LIMITED PO 2ORD200031-1910319 Swift copy..exe	Get hash	malicious	Browse	45.137.22.179
	Rpt47488747 & Invoice shipping doc.exe	Get hash	malicious	Browse	45.137.22.179
	PI- PI04522748-pdf.exe	Get hash	malicious	Browse	45.137.22.163
	Ordine di acquisto PO-JTT-00001018.exe	Get hash	malicious	Browse	45.137.22.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	LKlxOcLiVTpxUWt.exe	Get hash	malicious	Browse	188.114.96.7
	Document.exe	Get hash	malicious	Browse	188.114.96.7
	Votre_relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	188.114.96.7
	payment.exe	Get hash	malicious	Browse	188.114.96.7
	QOUTATION.exe	Get hash	malicious	Browse	188.114.96.7
	PO_287104.exe	Get hash	malicious	Browse	188.114.96.7
	Lista de Precios Isover - Distribuidores 13.04.2022.exe	Get hash	malicious	Browse	188.114.96.7
	Order Purchase.exe	Get hash	malicious	Browse	188.114.96.7
	relook.exe	Get hash	malicious	Browse	188.114.96.7
	resemble.exe	Get hash	malicious	Browse	188.114.96.7
	HOWDOESHEKNOW.exe	Get hash	malicious	Browse	188.114.96.7
	enter.exe	Get hash	malicious	Browse	188.114.96.7
	CONTRACT 1.0.2.exe	Get hash	malicious	Browse	188.114.96.7
	SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exe	Get hash	malicious	Browse	188.114.96.7
	order confirmation 46574 -QT-04-0022.exe	Get hash	malicious	Browse	188.114.96.7
	Revised Proforma Invoice.exe	Get hash	malicious	Browse	188.114.96.7
	ZHOU0422.exe	Get hash	malicious	Browse	188.114.96.7
	img-000.exe	Get hash	malicious	Browse	188.114.96.7
	Bahon Ltd Inquiry#20220412.exe	Get hash	malicious	Browse	188.114.96.7
	KW05200000032220.exe	Get hash	malicious	Browse	188.114.96.7

Process:	C:\Users\user\Desktop\New order _xls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.6634576394109555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	New order _xls.exe
File size:	55296
MD5:	5f879e53e945fe24f8885774f36d4b1f
SHA1:	04876d8b3b65590d2067e8e52cbf555d2763ace4
SHA256:	5fc33b3fda224e85ca520da99c6caed5bcfef8e0e29636df90b2ff4ca16a9abd
SHA512:	b55fd7f68f8210d5397ad73ec9db5ae5d92977616084f3faab14f4c29e9009fdd755c8b7b3dfd3c4464a5bbd10f1540def85c37fc744194972ce9e950d2042d9
SSDEEP:	384:Oh2xL9bC

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New order _xls.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New order _xls.exe.log

Static File Info

General

Windows Analysis Report
New order _xls.exe