Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
P0A2249.exe

Overview

General Information

Sample Name:P0A2249.exe
Analysis ID:708246
MD5:43f9694be950da3cbc89ceb296b2eb3b
SHA1:2138532f5a09386b06a338acab2b79b0167b7f62
SHA256:aa42f20183026e8912e487dc655d4459e8e37e3743cdc7753dc60fa712d8117f
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • P0A2249.exe (PID: 5572 cmdline: "C:\Users\user\Desktop\P0A2249.exe" MD5: 43F9694BE950DA3CBC89CEB296B2EB3B)
    • P0A2249.exe (PID: 6092 cmdline: C:\Users\user\Desktop\P0A2249.exe MD5: 43F9694BE950DA3CBC89CEB296B2EB3B)
  • cleanup
{"Exfil Mode": "Telegram", "Telegram Token": "5478319803:AAHq9LkDUFBRvjOub4YfRlPURZxM59_BVnc", "Telegram ID": "5516439768"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.267679195.000000000384B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.267679195.000000000384B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000000.00000002.267679195.000000000384B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.267679195.000000000384B000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x50e04:$x1: $%SMTPDV$
        • 0x70424:$x1: $%SMTPDV$
        • 0x4fac6:$x2: $#TheHashHere%&
        • 0x6f0e6:$x2: $#TheHashHere%&
        • 0x50dac:$x3: %FTPDV$
        • 0x703cc:$x3: %FTPDV$
        • 0x4faa8:$x4: $%TelegramDv$
        • 0x6f0c8:$x4: $%TelegramDv$
        • 0x4d437:$x5: KeyLoggerEventArgs
        • 0x4d7cd:$x5: KeyLoggerEventArgs
        • 0x6ca57:$x5: KeyLoggerEventArgs
        • 0x6cded:$x5: KeyLoggerEventArgs
        • 0x50e30:$m1: | Snake Keylogger
        • 0x50ed6:$m1: | Snake Keylogger
        • 0x5102a:$m1: | Snake Keylogger
        • 0x51150:$m1: | Snake Keylogger
        • 0x512aa:$m1: | Snake Keylogger
        • 0x70450:$m1: | Snake Keylogger
        • 0x704f6:$m1: | Snake Keylogger
        • 0x7064a:$m1: | Snake Keylogger
        • 0x70770:$m1: | Snake Keylogger
        00000000.00000002.267679195.000000000384B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x4c241:$a1: get_encryptedPassword
        • 0x6b861:$a1: get_encryptedPassword
        • 0x4c52d:$a2: get_encryptedUsername
        • 0x6bb4d:$a2: get_encryptedUsername
        • 0x4c04d:$a3: get_timePasswordChanged
        • 0x6b66d:$a3: get_timePasswordChanged
        • 0x4c148:$a4: get_passwordField
        • 0x6b768:$a4: get_passwordField
        • 0x4c257:$a5: set_encryptedPassword
        • 0x6b877:$a5: set_encryptedPassword
        • 0x4d86a:$a7: get_logins
        • 0x6ce8a:$a7: get_logins
        • 0x4d7cd:$a10: KeyLoggerEventArgs
        • 0x6cded:$a10: KeyLoggerEventArgs
        • 0x4d437:$a11: KeyLoggerEventArgsEventHandler
        • 0x6ca57:$a11: KeyLoggerEventArgsEventHandler
        Click to see the 22 entries
        SourceRuleDescriptionAuthorStrings
        0.2.P0A2249.exe.3883640.10.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1b0c4:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x3a6e4:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1a2ad:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x398cd:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1a6f4:$a4: \Orbitum\User Data\Default\Login Data
        • 0x39d14:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1b875:$a5: \Kometa\User Data\Default\Login Data
        • 0x3ae95:$a5: \Kometa\User Data\Default\Login Data
        0.2.P0A2249.exe.3883640.10.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          0.2.P0A2249.exe.3883640.10.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            0.2.P0A2249.exe.3883640.10.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.2.P0A2249.exe.3883640.10.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 38 entries
                No Sigma rule has matched
                Timestamp:192.168.2.3193.122.130.049702802842536 09/23/22-08:11:16.993448
                SID:2842536
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: P0A2249.exeReversingLabs: Detection: 17%
                Source: 1.0.P0A2249.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 0.2.P0A2249.exe.3883640.10.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5478319803:AAHq9LkDUFBRvjOub4YfRlPURZxM59_BVnc", "Telegram ID": "5516439768"}
                Source: P0A2249.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: P0A2249.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D63D1h1_2_015D6111
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D7507h1_2_015D71DA
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D8687h1_2_015D83C9
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015DF539h1_2_015DF280
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D5F70h1_2_015D5587
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015DEC8Ah1_2_015DE758
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015DF991h1_2_015DF6D8
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D6B10h1_2_015D66F8
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D7967h1_2_015D76A8
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D7DC7h1_2_015D7B08
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015DFDE9h1_2_015DFB30
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015D8227h1_2_015D7F68
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then jmp 015DF0E1h1_2_015DEE28
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_015D50DB
                Source: C:\Users\user\Desktop\P0A2249.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_015D52