Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ pdf.exe

Overview

General Information

Sample Name:RFQ pdf.exe
Analysis ID:708249
MD5:2186990b3fc8fb51de0d235276613505
SHA1:5e8223137622466c1eca35271586dd6824fb5b1c
SHA256:e2d1f7e5fe7da6323d2b8105d8aabfbcaf21603059a05c263e14cc079b371718
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • RFQ pdf.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\RFQ pdf.exe" MD5: 2186990B3FC8FB51DE0D235276613505)
    • RFQ pdf.exe (PID: 3672 cmdline: C:\Users\user\Desktop\RFQ pdf.exe MD5: 2186990B3FC8FB51DE0D235276613505)
      • WerFault.exe (PID: 3096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}
SourceRuleDescriptionAuthorStrings
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x18584:$x1: $%SMTPDV$
        • 0x1724a:$x2: $#TheHashHere%&
        • 0x1852c:$x3: %FTPDV$
        • 0x1722c:$x4: $%TelegramDv$
        • 0x14b41:$x5: KeyLoggerEventArgs
        • 0x14ed7:$x5: KeyLoggerEventArgs
        • 0x185b0:$m1: | Snake Keylogger
        • 0x18656:$m1: | Snake Keylogger
        • 0x187aa:$m1: | Snake Keylogger
        • 0x188d0:$m1: | Snake Keylogger
        • 0x18a2a:$m1: | Snake Keylogger
        • 0x18550:$m2: Clipboard Logs ID
        • 0x18760:$m2: Screenshot Logs ID
        • 0x18874:$m2: keystroke Logs ID
        • 0x18a60:$m3: SnakePW
        • 0x18738:$m4: \SnakeKeylogger\
        00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x13948:$a1: get_encryptedPassword
        • 0x13c34:$a2: get_encryptedUsername
        • 0x13754:$a3: get_timePasswordChanged
        • 0x1384f:$a4: get_passwordField
        • 0x1395e:$a5: set_encryptedPassword
        • 0x14f74:$a7: get_logins
        • 0x14ed7:$a10: KeyLoggerEventArgs
        • 0x14b41:$a11: KeyLoggerEventArgsEventHandler
        Click to see the 17 entries
        SourceRuleDescriptionAuthorStrings
        2.0.RFQ pdf.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1b084:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1a26d:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1a6b4:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1b835:$a5: \Kometa\User Data\Default\Login Data
        2.0.RFQ pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          2.0.RFQ pdf.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            2.0.RFQ pdf.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.0.RFQ pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 32 entries
                No Sigma rule has matched
                Timestamp:192.168.2.6193.122.6.16849721802842536 09/23/22-08:12:30.599509
                SID:2842536
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: RFQ pdf.exeVirustotal: Detection: 40%Perma Link
                Source: RFQ pdf.exeReversingLabs: Detection: 20%
                Source: RFQ pdf.exeJoe Sandbox ML: detected
                Source: 2.0.RFQ pdf.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 2.0.RFQ pdf.exe.400000.0.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}
                Source: RFQ pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdbRSDSD source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Xml.ni.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: mscorlib.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
                Source: Binary string: C:\Users\user\Desktop\RFQ pdf.PDB source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: RFQ pdf.PDB05 source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.pdbj source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Core.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: (Pij0C:\Windows\mscorlib.pdb source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Core.pdb% source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: MC:\Users\user\Desktop\RFQ pdf.PDB@ source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Xml.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER7306.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdb source: WER7306.tmp.dmp.13.dr

                Networking

                barindex
                Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.6:49721 -> 193.122.6.168:80
                Source: C:\Users\user\Desktop\RFQ pdf.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\Desktop\RFQ pdf.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\Desktop\RFQ pdf.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\Desktop\RFQ pdf.exeDNS query: name: checkip.dyndns.org
                Source: Yara matchFile source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive