Windows Analysis Report
3EqRILOXx1.exe

Overview

General Information

Sample Name: 3EqRILOXx1.exe
Analysis ID: 614683
MD5: 5ca02369b45067fe039314f38b286767
SHA1: b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
SHA256: 039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
Tags: exesansisc
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Uses 32bit PE files
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
One or more processes crash
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://103.147.185.85/", "Password": "bvhfgas7", "Port": 21}
Multi AV Scanner detection for submitted file
Source: 3EqRILOXx1.exe ReversingLabs: Detection: 69%
Antivirus / Scanner detection for submitted sample
Source: 3EqRILOXx1.exe Avira: detected
Machine Learning detection for sample
Source: 3EqRILOXx1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 3EqRILOXx1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 3EqRILOXx1.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.4:49738 -> 132.226.247.73:80
May check the online IP address of the machine
Source: C:\Users\user\Desktop\3EqRILOXx1.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\3EqRILOXx1.exe DNS query: name: checkip.dyndns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UTMEMUS UTMEMUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: 3EqRILOXx1.exe, 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: 3EqRILOXx1.exe String found in binary or memory: http://checkip.dyndns.org/q
Source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgx&Qq
Source: 3EqRILOXx1.exe String found in binary or memory: https://api.telegram.org/bot
Source: 3EqRILOXx1.exe String found in binary or memory: https://freegeoip.app/xml/
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Code function: 0_2_00EBA09A recv, 0_2_00EBA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs .Net Code: TakeScreenshot
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs .Net Code: TakeScreenshot

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Uses 32bit PE files
Source: 3EqRILOXx1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3EqRILOXx1.exe, type: SAMPLE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
One or more processes crash
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364
Contains functionality to call native functions
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Code function: 0_2_00EBA67E NtQuerySystemInformation, 0_2_00EBA67E
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Code function: 0_2_00EBA64D NtQuerySystemInformation, 0_2_00EBA64D
Sample file is different than original file name gathered from version info
Source: 3EqRILOXx1.exe, 00000000.00000002.318794855.00000000007F8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe
Source: 3EqRILOXx1.exe Binary or memory string: OriginalFilenamewvwsOyZpBTrBOUxpiQDJT.exeL vs 3EqRILOXx1.exe
Source: 3EqRILOXx1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3EqRILOXx1.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File read: C:\Users\user\Desktop\3EqRILOXx1.exe Jump to behavior
Source: 3EqRILOXx1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3EqRILOXx1.exe "C:\Users\user\Desktop\3EqRILOXx1.exe"
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Code function: 0_2_00EBA502 AdjustTokenPrivileges, 0_2_00EBA502
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Code function: 0_2_00EBA4CB AdjustTokenPrivileges, 0_2_00EBA4CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@1/1
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: 3EqRILOXx1.exe String found in binary or memory: F-Stopw
Source: 3EqRILOXx1.exe String found in binary or memory: F-Stopw
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVIDPickers.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 3EqRILOXx1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 3EqRILOXx1.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: browserpassEcostura.browserpass.dll.compressedEcostura.browserpass.pdb.compressed+newtonsoft.json.net20Ycostura.newtonsoft.json.net20.dll.compressedYcostura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: symbols\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.318849682.0000000000B86000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: q#"costura.browserpass.pdb.compressed source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.newtonsoft.json.net20.pdb.compressed source: 3EqRILOXx1.exe
Source: Binary string: q-,costura.newtonsoft.json.net20.pdb.compressed( source: 3EqRILOXx1.exe, 00000000.00000002.319518854.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: 3EqRILOXx1.exe, 00000000.00000002.319295855.0000000000F06000.00000004.00000020.00020000.00000000.sdmp
Source: initial sample Static PE information: section name: .text entropy: 7.74079601316
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 3EqRILOXx1.exe, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.0.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/COVID19.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.2.3EqRILOXx1.exe.780000.0.unpack, wvwsOyZpBTrBOUxpiQDJT/FFDecryptor.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1364 Jump to behavior
Source: C:\Users\user\Desktop\3EqRILOXx1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 3EqRILOXx1.exe, type: SAMPLE
Source: Yara match File source: 0.0.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3EqRILOXx1.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.318642073.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.225338757.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3EqRILOXx1.exe PID: 6192, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 614683 Sample: 3EqRILOXx1.exe Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 19 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 7 other signatures 2->25 6 3EqRILOXx1.exe 15 4 2->6         started        process3 dnsIp4 15 checkip.dyndns.com 132.226.247.73, 49738, 80 UTMEMUS United States 6->15 17 checkip.dyndns.org 6->17 27 May check the online IP address of the machine 6->27 10 dw20.exe 19 6 6->10         started        signatures5 process6 file7 13 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->13 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS true

Contacted Domains

Name IP Active
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ true
  • URL Reputation: safe
 unknown