Windows Analysis Report
DHL AWB SHIPPING DOCS_AWB_0009123.exe

Overview

General Information

Sample Name: DHL AWB SHIPPING DOCS_AWB_0009123.exe
Analysis ID: 800700
MD5: cf98f42b9d4bbdc20e54e7e0ca7543c0
SHA1: 2543080386230d110b18e1b653c14d1d640998da
SHA256: f7b57c7265e87bee11e652eba90afe3e0c34f691cd8faf3b79fe8def96044831
Tags: DHLexeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
May check the online IP address of the machine
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe ReversingLabs: Detection: 43%
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Virustotal: Detection: 37% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Virustotal: Detection: 12% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack Avira: Label: TR/ATRAPS.Gen
Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/sendMessage?chat_id=5463149861"}
Uses 32bit PE files
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_00406715 FindFirstFileExW, 2_2_00406715
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 0105F851h 2_2_0105F321
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 01058597h 2_2_010582D8
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 010589F7h 2_2_01058738
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 01057CD7h 2_2_0105792F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 0105FCA9h 2_2_0105F9F0
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 01058E57h 2_2_01058B99
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 01056D19h 2_2_01056A59
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 010568A2h 2_2_01055DB7
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 01058137h 2_2_01057E78
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 010572E0h 2_2_01056EC8
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 010572E0h 2_2_0105720E
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_010552D8
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_0105590B
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_01055AEC
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 4x nop then jmp 010572E0h 2_2_01056EB9

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49700 -> 193.122.6.168:80
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe DNS query: name: checkip.dyndns.org
Yara detected Generic Downloader
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: tdbwdaltxz.exe, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: tdbwdaltxz.exe, 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org4
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: tdbwdaltxz.exe String found in binary or memory: http://schemas.m
Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tdbwdaltxz.exe, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Uses 32bit PE files
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0107791F 1_2_0107791F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01076C9D 1_2_01076C9D
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_010770B5 1_2_010770B5
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_010774EA 1_2_010774EA
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_010767A9 1_2_010767A9
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106BFDF 1_2_0106BFDF
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106F23C 1_2_0106F23C
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01069647 1_2_01069647
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E08B7 1_2_005E08B7
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E0A2D 1_2_005E0A2D
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0040CBD1 2_2_0040CBD1
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0107791F 2_2_0107791F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010770B5 2_2_010770B5
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0106F23C 2_2_0106F23C
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01076C9D 2_2_01076C9D
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010774EA 2_2_010774EA
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010767A9 2_2_010767A9
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0106BFDF 2_2_0106BFDF
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01069647 2_2_01069647
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105B020 2_2_0105B020
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105F321 2_2_0105F321
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01057358 2_2_01057358
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010582D8 2_2_010582D8
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01058738 2_2_01058738
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105792F 2_2_0105792F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105F9F0 2_2_0105F9F0
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01058B99 2_2_01058B99
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01056A59 2_2_01056A59
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01055DB7 2_2_01055DB7
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01057E78 2_2_01057E78
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010530F2 2_2_010530F2
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01057349 2_2_01057349
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010552C7 2_2_010552C7
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_010552D8 2_2_010552D8
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105EB98 2_2_0105EB98
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0105EBA8 2_2_0105EBA8
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: String function: 010668F0 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: String function: 01064EBD appears 56 times
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: String function: 00401EE0 appears 33 times
Contains functionality to delete services
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_010611A0 OpenSCManagerW,_fprintf,OpenServiceW,DeleteService,_fprintf,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle,CloseServiceHandle, 1_2_010611A0
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe ReversingLabs: Detection: 43%
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Virustotal: Detection: 37%
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe File read: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Jump to behavior
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Process created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Process created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe File created: C:\Users\user\AppData\Local\Temp\nsv9935.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/5@2/2
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: OpenSCManagerW,_fprintf,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle, 1_2_010610B0
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: OpenSCManagerW,_fprintf,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle, 2_2_010610B0
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.cs Base64 encoded string: 'IwKBXjNRCdw8lIyWLafopbJDyfGg4tBtJpKdYfBdgZN4c/KU7p3OHgtWJM8b0KUg'
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0040147B GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 2_2_0040147B
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: GetTickCount 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: Kernel32.dll 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: Sleep 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: Kernel32.dll 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: VirtualAlloc 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: Kernel32.dll 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: Embedding 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: regserver 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: unregserver 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: unregister 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: unreg 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: package 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: ACTION=ADMIN 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: uninstall 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: update 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: uiet 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: passive 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: help 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: REMOVE=ALL 1_2_01061C90
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Command line argument: REMOVE=ALL 1_2_01061C90
Source: tdbwdaltxz.exe String found in binary or memory: F-Stopw
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, u00ab????/ufffdzufffd?ufffd.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DHL AWB SHIPPING DOCS_AWB_0009123.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01066935 push ecx; ret 1_2_01066948
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0040D2E1 push ecx; ret 2_2_0040D2F4
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01066935 push ecx; ret 2_2_01066948
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01068008 push esi; ret 2_2_0106800A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01068314 push esi; ret 2_2_01068316
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01068363 push edi; ret 2_2_01068365
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01068409 push edi; ret 2_2_0106840B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01061C90 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,_fseek,_fseek,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,_fprintf,lstrlenW,_fprintf,lstrlenW,ExitProcess,lstrlenW,lstrlenW,lstrlenW,CLSIDFromString,FreeLibrary, 1_2_01061C90
Drops PE files
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe File created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API coverage: 3.0 %
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E07DA GetSystemInfo, 1_2_005E07DA
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_00406715 FindFirstFileExW, 2_2_00406715
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe API call chain: ExitProcess graph end node
Source: tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01072526 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_01072526
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01072526 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_01072526
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01061C90 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,_fseek,_fseek,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,_fprintf,lstrlenW,_fprintf,lstrlenW,ExitProcess,lstrlenW,lstrlenW,lstrlenW,CLSIDFromString,FreeLibrary, 1_2_01061C90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_01074D5B __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,__get_osfhandle,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_01074D5B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E005F mov eax, dword ptr fs:[00000030h] 1_2_005E005F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E017B mov eax, dword ptr fs:[00000030h] 1_2_005E017B
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E0109 mov eax, dword ptr fs:[00000030h] 1_2_005E0109
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_005E013E mov eax, dword ptr fs:[00000030h] 1_2_005E013E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_01057358 LdrInitializeThunk, 2_2_01057358
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106BC59 SetUnhandledExceptionFilter, 1_2_0106BC59
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106BC7C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0106BC7C
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_00401E16 SetUnhandledExceptionFilter, 2_2_00401E16
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00401C83
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_004060A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004060A4
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00401F2A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0106BC59 SetUnhandledExceptionFilter, 2_2_0106BC59
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 2_2_0106BC7C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0106BC7C

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe protection: execute and read and write Jump to behavior
.NET source code references suspicious native API functions
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ufffd?ufffd?ufffd/?ufffdi??.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Process created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry, 1_2_01079912
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: EnumSystemLocalesEx, 1_2_01072C02
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0107380E
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: GetLocaleInfoEx, 1_2_01072C37
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_0107483A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_01072B8A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_010733CD
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_01073E4A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 1_2_0106CE68
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry, 2_2_01079912
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_0107380E
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 2_2_0107483A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_01072B8A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_010733CD
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: EnumSystemLocalesEx, 2_2_01072C02
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: GetLocaleInfoEx, 2_2_01072C37
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_01073E4A
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 2_2_0106CE68
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106445F cpuid 1_2_0106445F
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Code function: 1_2_0106BA43 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter, 1_2_0106BA43
Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800700 Sample: DHL AWB SHIPPING DOCS_AWB_0... Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 8 DHL AWB SHIPPING DOCS_AWB_0009123.exe 19 2->8         started        process3 file4 22 C:\Users\user\AppData\...\tdbwdaltxz.exe, PE32 8->22 dropped 11 tdbwdaltxz.exe 8->11         started        process5 signatures6 38 Multi AV Scanner detection for dropped file 11->38 40 May check the online IP address of the machine 11->40 42 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->42 44 Maps a DLL or memory area into another process 11->44 14 tdbwdaltxz.exe 15 2 11->14         started        18 MpCmdRun.exe 1 11->18         started        process7 dnsIp8 24 checkip.dyndns.com 193.122.6.168, 49700, 80 ORACLE-BMC-31898US United States 14->24 26 checkip.dyndns.org 14->26 28 192.168.2.1 unknown unknown 14->28 46 Tries to steal Mail credentials (via file / registry access) 14->46 48 Tries to harvest and steal ftp login credentials 14->48 50 Tries to harvest and steal browser information (history, passwords, etc) 14->50 20 conhost.exe 18->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ true
  • URL Reputation: safe
 unknown