Edit tour

Windows Analysis Report
RFQ pdf.exe

Overview

General Information

Sample Name:	RFQ pdf.exe
Analysis ID:	708249
MD5:	2186990b3fc8fb51de0d235276613505
SHA1:	5e8223137622466c1eca35271586dd6824fb5b1c
SHA256:	e2d1f7e5fe7da6323d2b8105d8aabfbcaf21603059a05c263e14cc079b371718
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Snort IDS alert for network traffic

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

RFQ pdf.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\RFQ pdf.exe" MD5: 2186990B3FC8FB51DE0D235276613505)

RFQ pdf.exe (PID: 3672 cmdline: C:\Users\user\Desktop\RFQ pdf.exe MD5: 2186990B3FC8FB51DE0D235276613505)

WerFault.exe (PID: 3096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18584:$x1: $%SMTPDV$ 0x1724a:$x2: $#TheHashHere%& 0x1852c:$x3: %FTPDV$ 0x1722c:$x4: $%TelegramDv$ 0x14b41:$x5: KeyLoggerEventArgs 0x14ed7:$x5: KeyLoggerEventArgs 0x185b0:$m1: \| Snake Keylogger 0x18656:$m1: \| Snake Keylogger 0x187aa:$m1: \| Snake Keylogger 0x188d0:$m1: \| Snake Keylogger 0x18a2a:$m1: \| Snake Keylogger 0x18550:$m2: Clipboard Logs ID 0x18760:$m2: Screenshot Logs ID 0x18874:$m2: keystroke Logs ID 0x18a60:$m3: SnakePW 0x18738:$m4: \SnakeKeylogger\
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13948:$a1: get_encryptedPassword 0x13c34:$a2: get_encryptedUsername 0x13754:$a3: get_timePasswordChanged 0x1384f:$a4: get_passwordField 0x1395e:$a5: set_encryptedPassword 0x14f74:$a7: get_logins 0x14ed7:$a10: KeyLoggerEventArgs 0x14b41:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3a19c:$x1: $%SMTPDV$ 0x14eb44:$x1: $%SMTPDV$ 0x16e164:$x1: $%SMTPDV$ 0x38e62:$x2: $#TheHashHere%& 0x14d80a:$x2: $#TheHashHere%& 0x16ce2a:$x2: $#TheHashHere%& 0x3a144:$x3: %FTPDV$ 0x14eaec:$x3: %FTPDV$ 0x16e10c:$x3: %FTPDV$ 0x38e44:$x4: $%TelegramDv$ 0x14d7ec:$x4: $%TelegramDv$ 0x16ce0c:$x4: $%TelegramDv$ 0x36759:$x5: KeyLoggerEventArgs 0x36aef:$x5: KeyLoggerEventArgs 0x14b101:$x5: KeyLoggerEventArgs 0x14b497:$x5: KeyLoggerEventArgs 0x16a721:$x5: KeyLoggerEventArgs 0x16aab7:$x5: KeyLoggerEventArgs 0x3a1c8:$m1: \| Snake Keylogger 0x3a26e:$m1: \| Snake Keylogger 0x3a3c2:$m1: \| Snake Keylogger
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35560:$a1: get_encryptedPassword 0x149f08:$a1: get_encryptedPassword 0x169528:$a1: get_encryptedPassword 0x3584c:$a2: get_encryptedUsername 0x14a1f4:$a2: get_encryptedUsername 0x169814:$a2: get_encryptedUsername 0x3536c:$a3: get_timePasswordChanged 0x149d14:$a3: get_timePasswordChanged 0x169334:$a3: get_timePasswordChanged 0x35467:$a4: get_passwordField 0x149e0f:$a4: get_passwordField 0x16942f:$a4: get_passwordField 0x35576:$a5: set_encryptedPassword 0x149f1e:$a5: set_encryptedPassword 0x16953e:$a5: set_encryptedPassword 0x36b8c:$a7: get_logins 0x14b534:$a7: get_logins 0x16ab54:$a7: get_logins 0x36aef:$a10: KeyLoggerEventArgs 0x14b497:$a10: KeyLoggerEventArgs 0x16aab7:$a10: KeyLoggerEventArgs
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4dcef:$x5: KeyLoggerEventArgs 0x4e085:$x5: KeyLoggerEventArgs 0x4ea7d:$x5: KeyLoggerEventArgs 0x4edde:$x5: KeyLoggerEventArgs 0x50285:$m1: \| Snake Keylogger 0x502d4:$m1: \| Snake Keylogger 0x50368:$m1: \| Snake Keylogger 0x503c9:$m1: \| Snake Keylogger 0x5043e:$m1: \| Snake Keylogger 0x50254:$m2: Clipboard Logs ID 0x50343:$m2: Screenshot Logs ID 0x5039b:$m2: keystroke Logs ID 0x50459:$m3: SnakePW 0x5032f:$m4: \SnakeKeylogger\
Process Memory Space: RFQ pdf.exe PID: 3868	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4bdc5:$a1: get_encryptedPassword 0x4c0a7:$a2: get_encryptedUsername 0x4bbdb:$a3: get_timePasswordChanged 0x4bcd6:$a4: get_passwordField 0x4bddb:$a5: set_encryptedPassword 0x4e122:$a7: get_logins 0x4e085:$a10: KeyLoggerEventArgs 0x4dcef:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4fd4:$x5: KeyLoggerEventArgs 0x536a:$x5: KeyLoggerEventArgs 0x5d62:$x5: KeyLoggerEventArgs 0x60c3:$x5: KeyLoggerEventArgs 0x756a:$m1: \| Snake Keylogger 0x75b9:$m1: \| Snake Keylogger 0x764d:$m1: \| Snake Keylogger 0x76ae:$m1: \| Snake Keylogger 0x7723:$m1: \| Snake Keylogger 0x7539:$m2: Clipboard Logs ID 0x7628:$m2: Screenshot Logs ID 0x7680:$m2: keystroke Logs ID 0x773e:$m3: SnakePW 0x7614:$m4: \SnakeKeylogger\
Process Memory Space: RFQ pdf.exe PID: 3672	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30aa:$a1: get_encryptedPassword 0x338c:$a2: get_encryptedUsername 0x2ec0:$a3: get_timePasswordChanged 0x2fbb:$a4: get_passwordField 0x30c0:$a5: set_encryptedPassword 0x5407:$a7: get_logins 0x536a:$a10: KeyLoggerEventArgs 0x4fd4:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.RFQ pdf.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b084:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a26d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6b4:$a4: \Orbitum\User Data\Default\Login Data 0x1b835:$a5: \Kometa\User Data\Default\Login Data
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x146d1:$s1: UnHook 0x146d8:$s2: SetHook 0x146e0:$s3: CallNextHook 0x146ed:$s4: _hook
2.0.RFQ pdf.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18784:$x1: $%SMTPDV$ 0x1744a:$x2: $#TheHashHere%& 0x1872c:$x3: %FTPDV$ 0x1742c:$x4: $%TelegramDv$ 0x14d41:$x5: KeyLoggerEventArgs 0x150d7:$x5: KeyLoggerEventArgs 0x187b0:$m1: \| Snake Keylogger 0x18856:$m1: \| Snake Keylogger 0x189aa:$m1: \| Snake Keylogger 0x18ad0:$m1: \| Snake Keylogger 0x18c2a:$m1: \| Snake Keylogger 0x18750:$m2: Clipboard Logs ID 0x18960:$m2: Screenshot Logs ID 0x18a74:$m2: keystroke Logs ID 0x18c60:$m3: SnakePW 0x18938:$m4: \SnakeKeylogger\
2.0.RFQ pdf.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13b48:$a1: get_encryptedPassword 0x13e34:$a2: get_encryptedUsername 0x13954:$a3: get_timePasswordChanged 0x13a4f:$a4: get_passwordField 0x13b5e:$a5: set_encryptedPassword 0x15174:$a7: get_logins 0x150d7:$a10: KeyLoggerEventArgs 0x14d41:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3af6a18.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1846d:$a3: \Google\Chrome\User Data\Default\Login Data 0x188b4:$a4: \Orbitum\User Data\Default\Login Data 0x19a35:$a5: \Kometa\User Data\Default\Login Data
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x128d1:$s1: UnHook 0x128d8:$s2: SetHook 0x128e0:$s3: CallNextHook 0x128ed:$s4: _hook
0.2.RFQ pdf.exe.3af6a18.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16984:$x1: $%SMTPDV$ 0x1564a:$x2: $#TheHashHere%& 0x1692c:$x3: %FTPDV$ 0x1562c:$x4: $%TelegramDv$ 0x12f41:$x5: KeyLoggerEventArgs 0x132d7:$x5: KeyLoggerEventArgs 0x169b0:$m1: \| Snake Keylogger 0x16a56:$m1: \| Snake Keylogger 0x16baa:$m1: \| Snake Keylogger 0x16cd0:$m1: \| Snake Keylogger 0x16e2a:$m1: \| Snake Keylogger 0x16950:$m2: Clipboard Logs ID 0x16b60:$m2: Screenshot Logs ID 0x16c74:$m2: keystroke Logs ID 0x16e60:$m3: SnakePW 0x16b38:$m4: \SnakeKeylogger\
0.2.RFQ pdf.exe.3af6a18.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11d48:$a1: get_encryptedPassword 0x12034:$a2: get_encryptedUsername 0x11b54:$a3: get_timePasswordChanged 0x11c4f:$a4: get_passwordField 0x11d5e:$a5: set_encryptedPassword 0x13374:$a7: get_logins 0x132d7:$a10: KeyLoggerEventArgs 0x12f41:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x946a4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb3cc4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9388d:$a3: \Google\Chrome\User Data\Default\Login Data 0xb2ead:$a3: \Google\Chrome\User Data\Default\Login Data 0x93cd4:$a4: \Orbitum\User Data\Default\Login Data 0xb32f4:$a4: \Orbitum\User Data\Default\Login Data 0x94e55:$a5: \Kometa\User Data\Default\Login Data 0xb4475:$a5: \Kometa\User Data\Default\Login Data
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x8dcf1:$s1: UnHook 0xad311:$s1: UnHook 0x8dcf8:$s2: SetHook 0xad318:$s2: SetHook 0x8dd00:$s3: CallNextHook 0xad320:$s3: CallNextHook 0x8dd0d:$s4: _hook 0xad32d:$s4: _hook
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x91da4:$x1: $%SMTPDV$ 0xb13c4:$x1: $%SMTPDV$ 0x90a6a:$x2: $#TheHashHere%& 0xb008a:$x2: $#TheHashHere%& 0x91d4c:$x3: %FTPDV$ 0xb136c:$x3: %FTPDV$ 0x90a4c:$x4: $%TelegramDv$ 0xb006c:$x4: $%TelegramDv$ 0x8e361:$x5: KeyLoggerEventArgs 0x8e6f7:$x5: KeyLoggerEventArgs 0xad981:$x5: KeyLoggerEventArgs 0xadd17:$x5: KeyLoggerEventArgs 0x91dd0:$m1: \| Snake Keylogger 0x91e76:$m1: \| Snake Keylogger 0x91fca:$m1: \| Snake Keylogger 0x920f0:$m1: \| Snake Keylogger 0x9224a:$m1: \| Snake Keylogger 0xb13f0:$m1: \| Snake Keylogger 0xb1496:$m1: \| Snake Keylogger 0xb15ea:$m1: \| Snake Keylogger 0xb1710:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8d168:$a1: get_encryptedPassword 0xac788:$a1: get_encryptedPassword 0x8d454:$a2: get_encryptedUsername 0xaca74:$a2: get_encryptedUsername 0x8cf74:$a3: get_timePasswordChanged 0xac594:$a3: get_timePasswordChanged 0x8d06f:$a4: get_passwordField 0xac68f:$a4: get_passwordField 0x8d17e:$a5: set_encryptedPassword 0xac79e:$a5: set_encryptedPassword 0x8e794:$a7: get_logins 0xaddb4:$a7: get_logins 0x8e6f7:$a10: KeyLoggerEventArgs 0xadd17:$a10: KeyLoggerEventArgs 0x8e361:$a11: KeyLoggerEventArgsEventHandler 0xad981:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x146d1:$s1: UnHook 0x129079:$s1: UnHook 0x148699:$s1: UnHook 0x146d8:$s2: SetHook 0x129080:$s2: SetHook 0x1486a0:$s2: SetHook 0x146e0:$s3: CallNextHook 0x129088:$s3: CallNextHook 0x1486a8:$s3: CallNextHook 0x146ed:$s4: _hook 0x129095:$s4: _hook 0x1486b5:$s4: _hook
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18784:$x1: $%SMTPDV$ 0x12d12c:$x1: $%SMTPDV$ 0x14c74c:$x1: $%SMTPDV$ 0x1744a:$x2: $#TheHashHere%& 0x12bdf2:$x2: $#TheHashHere%& 0x14b412:$x2: $#TheHashHere%& 0x1872c:$x3: %FTPDV$ 0x12d0d4:$x3: %FTPDV$ 0x14c6f4:$x3: %FTPDV$ 0x1742c:$x4: $%TelegramDv$ 0x12bdd4:$x4: $%TelegramDv$ 0x14b3f4:$x4: $%TelegramDv$ 0x14d41:$x5: KeyLoggerEventArgs 0x150d7:$x5: KeyLoggerEventArgs 0x1296e9:$x5: KeyLoggerEventArgs 0x129a7f:$x5: KeyLoggerEventArgs 0x148d09:$x5: KeyLoggerEventArgs 0x14909f:$x5: KeyLoggerEventArgs 0x187b0:$m1: \| Snake Keylogger 0x18856:$m1: \| Snake Keylogger 0x189aa:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13b48:$a1: get_encryptedPassword 0x1284f0:$a1: get_encryptedPassword 0x147b10:$a1: get_encryptedPassword 0x13e34:$a2: get_encryptedUsername 0x1287dc:$a2: get_encryptedUsername 0x147dfc:$a2: get_encryptedUsername 0x13954:$a3: get_timePasswordChanged 0x1282fc:$a3: get_timePasswordChanged 0x14791c:$a3: get_timePasswordChanged 0x13a4f:$a4: get_passwordField 0x1283f7:$a4: get_passwordField 0x147a17:$a4: get_passwordField 0x13b5e:$a5: set_encryptedPassword 0x128506:$a5: set_encryptedPassword 0x147b26:$a5: set_encryptedPassword 0x15174:$a7: get_logins 0x129b1c:$a7: get_logins 0x14913c:$a7: get_logins 0x150d7:$a10: KeyLoggerEventArgs 0x129a7f:$a10: KeyLoggerEventArgs 0x14909f:$a10: KeyLoggerEventArgs
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x35cf1:$s1: UnHook 0x14a699:$s1: UnHook 0x169cb9:$s1: UnHook 0x35cf8:$s2: SetHook 0x14a6a0:$s2: SetHook 0x169cc0:$s2: SetHook 0x35d00:$s3: CallNextHook 0x14a6a8:$s3: CallNextHook 0x169cc8:$s3: CallNextHook 0x35d0d:$s4: _hook 0x14a6b5:$s4: _hook 0x169cd5:$s4: _hook
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39da4:$x1: $%SMTPDV$ 0x14e74c:$x1: $%SMTPDV$ 0x16dd6c:$x1: $%SMTPDV$ 0x38a6a:$x2: $#TheHashHere%& 0x14d412:$x2: $#TheHashHere%& 0x16ca32:$x2: $#TheHashHere%& 0x39d4c:$x3: %FTPDV$ 0x14e6f4:$x3: %FTPDV$ 0x16dd14:$x3: %FTPDV$ 0x38a4c:$x4: $%TelegramDv$ 0x14d3f4:$x4: $%TelegramDv$ 0x16ca14:$x4: $%TelegramDv$ 0x36361:$x5: KeyLoggerEventArgs 0x366f7:$x5: KeyLoggerEventArgs 0x14ad09:$x5: KeyLoggerEventArgs 0x14b09f:$x5: KeyLoggerEventArgs 0x16a329:$x5: KeyLoggerEventArgs 0x16a6bf:$x5: KeyLoggerEventArgs 0x39dd0:$m1: \| Snake Keylogger 0x39e76:$m1: \| Snake Keylogger 0x39fca:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35168:$a1: get_encryptedPassword 0x149b10:$a1: get_encryptedPassword 0x169130:$a1: get_encryptedPassword 0x35454:$a2: get_encryptedUsername 0x149dfc:$a2: get_encryptedUsername 0x16941c:$a2: get_encryptedUsername 0x34f74:$a3: get_timePasswordChanged 0x14991c:$a3: get_timePasswordChanged 0x168f3c:$a3: get_timePasswordChanged 0x3506f:$a4: get_passwordField 0x149a17:$a4: get_passwordField 0x169037:$a4: get_passwordField 0x3517e:$a5: set_encryptedPassword 0x149b26:$a5: set_encryptedPassword 0x169146:$a5: set_encryptedPassword 0x36794:$a7: get_logins 0x14b13c:$a7: get_logins 0x16a75c:$a7: get_logins 0x366f7:$a10: KeyLoggerEventArgs 0x14b09f:$a10: KeyLoggerEventArgs 0x16a6bf:$a10: KeyLoggerEventArgs
Click to see the 32 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.6 - Destination IP: 193.122.6.168

Timestamp:	192.168.2.6193.122.6.16849721802842536 09/23/22-08:12:30.599509
SID:	2842536
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ pdf.exe	Virustotal: Detection: 40%			Perma Link
Source: RFQ pdf.exe	ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: RFQ pdf.exe

Joe Sandbox ML: detected

Source: 2.0.RFQ pdf.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: 2.0.RFQ pdf.exe.400000.0.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}

Source: RFQ pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\RFQ pdf.PDB source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RFQ pdf.PDB05 source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdbj source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: (Pij0C:\Windows\mscorlib.pdb source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb% source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: MC:\Users\user\Desktop\RFQ pdf.PDB@ source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7306.tmp.dmp.13.dr

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
RFQ pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Windows Analysis Report
RFQ pdf.exe