Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:715063
MD5:aad07a56490f6741c3921858f3043e79
SHA1:a94598c7fc15b6c5acc91f1436dba83997e11e28
SHA256:3e2d304ef3b13cf0e4ce178d8b04878537871fe4957a579da336daee46cdeeef
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • RFQ.exe (PID: 4968 cmdline: C:\Users\user\Desktop\RFQ.exe MD5: AAD07A56490F6741C3921858F3043E79)
    • RFQ.exe (PID: 3388 cmdline: C:\Users\user\Desktop\RFQ.exe MD5: AAD07A56490F6741C3921858F3043E79)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "mariel.lalu@jeteix.com", "Password": "qlRYaFn8   ", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x10eee4:$x1: $%SMTPDV$
          • 0x12e504:$x1: $%SMTPDV$
          • 0x10eefa:$x2: $#TheHashHere%&
          • 0x12e51a:$x2: $#TheHashHere%&
          • 0x1101e8:$x3: %FTPDV$
          • 0x12f808:$x3: %FTPDV$
          • 0x1102ba:$x4: $%TelegramDv$
          • 0x12f8da:$x4: $%TelegramDv$
          • 0x10c849:$x5: KeyLoggerEventArgs
          • 0x10cbdf:$x5: KeyLoggerEventArgs
          • 0x12be69:$x5: KeyLoggerEventArgs
          • 0x12c1ff:$x5: KeyLoggerEventArgs
          • 0x110258:$m1: | Snake Keylogger
          • 0x11031a:$m1: | Snake Keylogger
          • 0x11046e:$m1: | Snake Keylogger
          • 0x110594:$m1: | Snake Keylogger
          • 0x1106ee:$m1: | Snake Keylogger
          • 0x12f878:$m1: | Snake Keylogger
          • 0x12f93a:$m1: | Snake Keylogger
          • 0x12fa8e:$m1: | Snake Keylogger
          • 0x12fbb4:$m1: | Snake Keylogger
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          0.2.RFQ.exe.471c928.11.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x94220:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0xb3840:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x93409:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0xb2a29:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x93850:$a4: \Orbitum\User Data\Default\Login Data
          • 0xb2e70:$a4: \Orbitum\User Data\Default\Login Data
          • 0x949d1:$a5: \Kometa\User Data\Default\Login Data
          • 0xb3ff1:$a5: \Kometa\User Data\Default\Login Data
          0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security