Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:l9qmoY93Ed.exe
Analysis ID:708248


Snake Keylogger
Range:0 - 100


Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)


  • System is w10x64
  • l9qmoY93Ed.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\l9qmoY93Ed.exe" MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 3276 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 4460 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x1742c:$x1: $%SMTPDV$
          • 0x17442:$x2: $#TheHashHere%&
          • 0x187cc:$x3: %FTPDV$
          • 0x18894:$x4: $%TelegramDv$
          • 0x14d3d:$x5: KeyLoggerEventArgs
          • 0x150d3:$x5: KeyLoggerEventArgs
          • 0x1883c:$m1: | Snake Keylogger
          • 0x188f4:$m1: | Snake Keylogger
          • 0x18a48:$m1: | Snake Keylogger
          • 0x18b6e:$m1: | Snake Keylogger
          • 0x18cc8:$m1: | Snake Keylogger
          • 0x187f0:$m2: Clipboard Logs ID
          • 0x189fe:$m2: Screenshot Logs ID
          • 0x18b12:$m2: keystroke Logs ID
          • 0x18cfe:$m3: SnakePW
          • 0x189d6:$m4: \SnakeKeylogger\
          Click to see the 17 entries
          2.0.l9qmoY93Ed.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b362:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a54b:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a992:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1bb13:$a5: \Kometa\User Data\Default\Login Data
          2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security