Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756297
MD5:cfc1c66cba07daef1e8ac13d5e042e7a
SHA1:10451947894a7af9a06adc619179e00e933fb20a
SHA256:addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
Tags:NETexeMSILSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • file.exe (PID: 1128 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)
    • file.exe (PID: 5916 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)
    • file.exe (PID: 4844 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)
    • file.exe (PID: 5260 cmdline: C:\Users\user\Desktop\file.exe MD5: CFC1C66CBA07DAEF1E8AC13D5E042E7A)
    • audiodg.exe (PID: 4844 cmdline: C:\Windows\system32\AUDIODG.EXE 0x364 MD5: 0B245353F92DF527AA7613BA2C0DA023)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "arinzelog@saonline.xyz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x522dc:$x1: $%SMTPDV$
          • 0x522f2:$x2: $#TheHashHere%&
          • 0x537f3:$x3: %FTPDV$
          • 0x538b7:$x4: $%TelegramDv$
          • 0x4fb75:$x5: KeyLoggerEventArgs
          • 0x4ff0b:$x5: KeyLoggerEventArgs
          • 0x53817:$m2: Clipboard Logs ID
          • 0x53a1d:$m2: Screenshot Logs ID
          • 0x53b2d:$m2: keystroke Logs ID
          • 0x53d11:$m3: SnakePW
          • 0x539f5:$m4: \SnakeKeylogger\
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.416fa10.6.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x198d3:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x18b05:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x18f38:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1a05f:$a5: \Kometa\User Data\Default\Login Data
          0.2.file.exe.416fa10.6.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.file.exe.416fa10.6.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.file.exe.416fa10.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.file.exe.416fa10.6.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
                • 0x12d07:$s1: UnHook
                • 0x12d0e:$s2: SetHook
                • 0x12d16:$s3: CallNextHook
                • 0x12d23:$s4: _hook
                Click to see the 33 entries
                No Sigma rule has matched
                Timestamp:192.168.2.4193.122.130.049696802039190 11/30/22-00:11:36.516564
                SID:2039190
                Source Port:49696
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection