Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l9qmoY93Ed.exe

Overview

General Information

Sample Name:l9qmoY93Ed.exe
Analysis ID:708248
MD5:fb561127230e7104e2df440f2712581e
SHA1:62741306fbb863c7def4a3cc21175a3badf59f14
SHA256:48929d6ac22fe9d2edee0e1ea483b143786d3b0965be5c771eb6a2d90018df21
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • l9qmoY93Ed.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\l9qmoY93Ed.exe" MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 3276 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 4460 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x1742c:$x1: $%SMTPDV$
          • 0x17442:$x2: $#TheHashHere%&
          • 0x187cc:$x3: %FTPDV$
          • 0x18894:$x4: $%TelegramDv$
          • 0x14d3d:$x5: KeyLoggerEventArgs
          • 0x150d3:$x5: KeyLoggerEventArgs
          • 0x1883c:$m1: | Snake Keylogger
          • 0x188f4:$m1: | Snake Keylogger
          • 0x18a48:$m1: | Snake Keylogger
          • 0x18b6e:$m1: | Snake Keylogger
          • 0x18cc8:$m1: | Snake Keylogger
          • 0x187f0:$m2: Clipboard Logs ID
          • 0x189fe:$m2: Screenshot Logs ID
          • 0x18b12:$m2: keystroke Logs ID
          • 0x18cfe:$m3: SnakePW
          • 0x189d6:$m4: \SnakeKeylogger\
          Click to see the 17 entries
          SourceRuleDescriptionAuthorStrings
          2.0.l9qmoY93Ed.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b362:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a54b:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a992:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1bb13:$a5: \Kometa\User Data\Default\Login Data
          2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security