Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ru66o6HYE6.exe

Overview

General Information

Sample Name:Ru66o6HYE6.exe
Original Sample Name:0eef67dbee8912b9267f7ca7f7eb4f63547bc8d336bdddc22f98c14563c32515.exe
Analysis ID:884341
MD5:a8a2e3100a56c891b16cd7503e4b03ae
SHA1:e5313848436433842b4d932e3ddfc408bb20337a
SHA256:0eef67dbee8912b9267f7ca7f7eb4f63547bc8d336bdddc22f98c14563c32515
Tags:exeMassLogger
Infos:

Detection

Kraken Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Kraken Rat
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Contains functionality to capture screen (.Net source)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Potential time zone aware malware
Program does not show much activity (idle)
Enables debug privileges

Classification

  • System is w10x64
  • Ru66o6HYE6.exe (PID: 6708 cmdline: C:\Users\user\Desktop\Ru66o6HYE6.exe MD5: A8A2E3100A56C891B16CD7503E4B03AE)
  • cleanup
{"Exfil Mode": "SMTP", "From": "david@product-secured.com", "Password": "H?G7iEWK_W0R##2#", "To": "premium251.web-hosting.com", "Port": "587"}
SourceRuleDescriptionAuthorStrings
Ru66o6HYE6.exeJoeSecurity_KrakenRatYara detected Kraken RatJoe Security
    Ru66o6HYE6.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Ru66o6HYE6.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Ru66o6HYE6.exeINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
        • 0xe394:$s1: UnHook
        • 0xe39b:$s2: SetHook
        • 0xe3a3:$s3: CallNextHook
        • 0xe3b0:$s4: _hook
        Ru66o6HYE6.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xd66a:$a1: get_encryptedPassword
        • 0xd9ff:$a2: get_encryptedUsername
        • 0xd414:$a3: get_timePasswordChanged
        • 0xd51a:$a4: get_passwordField
        • 0xd680:$a5: set_encryptedPassword
        • 0xf25d:$a7: get_logins
        • 0xef2b:$a8: GetOutlookPasswords
        • 0xec73:$a9: StartKeylogger
        • 0xf194:$a10: KeyLoggerEventArgs
        • 0xec82:$a11: KeyLoggerEventArgsEventHandler
        SourceRuleDescriptionAuthorStrings
        00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_KrakenRatYara detected Kraken RatJoe Security
          00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0xd46a:$a1: get_encryptedPassword
            • 0xd7ff:$a2: get_encryptedUsername
            • 0xd214:$a3: get_timePasswordChanged
            • 0xd31a:$a4: get_passwordField
            • 0xd480:$a5: set_encryptedPassword
            • 0xf05d:$a7: get_logins
            • 0xed2b:$a8: GetOutlookPasswords
            • 0xea73:$a9: StartKeylogger
            • 0xef94:$a10: KeyLoggerEventArgs
            • 0xea82:$a11: KeyLoggerEventArgsEventHandler
            Process Memory Space: Ru66o6HYE6.exe PID: 6708JoeSecurity_KrakenRatYara detected Kraken RatJoe Security
              Process Memory Space: Ru66o6HYE6.exe PID: 6708JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries
                SourceRuleDescriptionAuthorStrings
                0.0.Ru66o6HYE6.exe.400000.0.unpackJoeSecurity_KrakenRatYara detected Kraken RatJoe Security
                  0.0.Ru66o6HYE6.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.Ru66o6HYE6.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.0.Ru66o6HYE6.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
                      • 0xe394:$s1: UnHook
                      • 0xe39b:$s2: SetHook
                      • 0xe3a3:$s3: CallNextHook
                      • 0xe3b0:$s4: _hook
                      0.0.Ru66o6HYE6.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                      • 0xd66a:$a1: get_encryptedPassword
                      • 0xd9ff:$a2: get_encryptedUsername
                      • 0xd414:$a3: get_timePasswordChanged
                      • 0xd51a:$a4: get_passwordField
                      • 0xd680:$a5: set_encryptedPassword
                      • 0xf25d:$a7: get_logins
                      • 0xef2b:$a8: GetOutlookPasswords
                      • 0xec73:$a9: StartKeylogger
                      • 0xf194:$a10: KeyLoggerEventArgs
                      • 0xec82:$a11: KeyLoggerEventArgsEventHandler
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: Ru66o6HYE6.exeAvira: detected
                      Source: Ru66o6HYE6.exeMalware Configuration Extractor: Kraken Rat {"Exfil Mode": "SMTP", "From": "david@product-secured.com", "Password": "H?G7iEWK_W0R##2#", "To": "premium251.web-hosting.com", "Port": "587"}
                      Source: Ru66o6HYE6.exeReversingLabs: Detection: 51%
                      Source: Ru66o6HYE6.exeVirustotal: Detection: 68%Perma Link
                      Source: Ru66o6HYE6.exeJoe Sandbox ML: detected
                      Source: Ru66o6HYE6.exeString decryptor: david@product-secured.com
                      Source: Ru66o6HYE6.exeString decryptor: H?G7iEWK_W0R##2#
                      Source: Ru66o6HYE6.exeString decryptor: premium251.web-hosting.com
                      Source: Ru66o6HYE6.exeString decryptor: 587
                      Source: Ru66o6HYE6.exeString decryptor: WinForms_RecursiveFormCreate
                      Source: Ru66o6HYE6.exeString decryptor: WinForms_SeeInnerException
                      Source: Ru66o6HYE6.exeString decryptor: KrakenStub.Resources
                      Source: Ru66o6HYE6.exeString decryptor: 1
                      Source: Ru66o6HYE6.exeString decryptor: %True%
                      Source: Ru66o6HYE6.exeString decryptor: swCpiTiAhkkEpyDZTnAGhOBZpr
                      Source: Ru66o6HYE6.exeString decryptor: True
                      Source: Ru66o6HYE6.exeString decryptor: |System Info|System Name:
                      Source: Ru66o6HYE6.exeString decryptor: Time:
                      Source: Ru66o6HYE6.exeString decryptor: Date:
                      Source: Ru66o6HYE6.exeString decryptor: ========|*Recovered Data*|========
                      Source: Ru66o6HYE6.exeString decryptor: XmyFntc+2Mr9D8a8cIRGva7Yqa591pNDLqAR8rdY1k4=
                      Source: Ru66o6HYE6.exeString decryptor: zGXhVxursUWx/Mqn01W8YxHaxPhhjF+P
                      Source: Ru66o6HYE6.exeString decryptor: g6iqdQx6uSAFv0MppdYExCCYh6Ky5jTt0T2NBhI/KWg=
                      Source: Ru66o6HYE6.exeString decryptor: VqONpyzLqFY=
                      Source: Ru66o6HYE6.exeString decryptor: EdrE+GGMX48=
                      Source: Ru66o6HYE6.exeString decryptor: KRK
                      Source: Ru66o6HYE6.exeString decryptor: ------------------------
                      Source: Ru66o6HYE6.exeString decryptor: x
                      Source: Ru66o6HYE6.exeString decryptor: Content-Type
                      Source: Ru66o6HYE6.exeString decryptor: multipart/form-data; boundary=
                      Source: Ru66o6HYE6.exeString decryptor: --{0}Content-Disposition: form-data; name="document"; filename="{1}"Content-Type: {2}{3}--{0}--
                      Source: Ru66o6HYE6.exeString decryptor: POST
                      Source: Ru66o6HYE6.exeString decryptor: https://api.telegram.org/bot
                      Source: Ru66o6HYE6.exeString decryptor: /sendMessage?chat_id=
                      Source: Ru66o6HYE6.exeString decryptor: &text=
                      Source: Ru66o6HYE6.exeString decryptor: utf-8
                      Source: Ru66o6HYE6.exeString decryptor: /
                      Source: Ru66o6HYE6.exeString decryptor: user-agent
                      Source: Ru66o6HYE6.exeString decryptor: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Source: Ru66o6HYE6.exeString decryptor: http://checkip.dyndns.org/
                      Source: Ru66o6HYE6.exeString decryptor: <html><head><title>Current IP Check</title></head><body>
                      Source: Ru66o6HYE6.exeString decryptor: </body></html>
                      Source: Ru66o6HYE6.exeString decryptor: Current IP Address:
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor: .
                      Source: Ru66o6HYE6.exeString decryptor: {.}
                      Source: Ru66o6HYE6.exeString decryptor: http
                      Source: Ru66o6HYE6.exeString decryptor: {http}
                      Source: Ru66o6HYE6.exeString decryptor: 0
                      Source: Ru66o6HYE6.exeString decryptor: Create
                      Source: Ru66o6HYE6.exeString decryptor: Kraken_Clipboard_
                      Source: Ru66o6HYE6.exeString decryptor: .txt
                      Source: Ru66o6HYE6.exeString decryptor: STOR
                      Source: Ru66o6HYE6.exeString decryptor: Recovered From:
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor: Clipboard.txt
                      Source: Ru66o6HYE6.exeString decryptor: text/plain
                      Source: Ru66o6HYE6.exeString decryptor: 2
                      Source: Ru66o6HYE6.exeString decryptor: /sendDocument?chat_id=
                      Source: Ru66o6HYE6.exeString decryptor: &caption=
                      Source: Ru66o6HYE6.exeString decryptor: System IP:
                      Source: Ru66o6HYE6.exeString decryptor: KrakenClipboardLog.txt
                      Source: Ru66o6HYE6.exeString decryptor: application/x-ms-dos-executable
                      Source: Ru66o6HYE6.exeString decryptor: RecoveredDisplayShot
                      Source: Ru66o6HYE6.exeString decryptor: .png
                      Source: Ru66o6HYE6.exeString decryptor: \Kraken
                      Source: Ru66o6HYE6.exeString decryptor: \Kraken\
                      Source: Ru66o6HYE6.exeString decryptor: Kraken_Screenshot_
                      Source: Ru66o6HYE6.exeString decryptor: Recovered Screenshot From:
                      Source: Ru66o6HYE6.exeString decryptor: Recovered Keylogs From:
                      Source: Ru66o6HYE6.exeString decryptor: Kraken_Keylogs_
                      Source: Ru66o6HYE6.exeString decryptor: RecoveredKeylogs.txt
                      Source: Ru66o6HYE6.exeString decryptor: Keylogs Recovered From:
                      Source: Ru66o6HYE6.exeString decryptor: KrakenKeylogs.txt
                      Source: Ru66o6HYE6.exeString decryptor: [ -- {0} -- ]
                      Source: Ru66o6HYE6.exeString decryptor: {0}
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor: Kraken_Password_
                      Source: Ru66o6HYE6.exeString decryptor: RecoveredPassword.txt
                      Source: Ru66o6HYE6.exeString decryptor: RecoveredLogins.txt
                      Source: Ru66o6HYE6.exeString decryptor: 300000
                      Source: Ru66o6HYE6.exeString decryptor: [
                      Source: Ru66o6HYE6.exeString decryptor: ]
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor: [ENTR]
                      Source: Ru66o6HYE6.exeString decryptor: [TAP]
                      Source: Ru66o6HYE6.exeString decryptor: ObjectLength
                      Source: Ru66o6HYE6.exeString decryptor: ChainingModeGCM
                      Source: Ru66o6HYE6.exeString decryptor: AuthTagLength
                      Source: Ru66o6HYE6.exeString decryptor: ChainingMode
                      Source: Ru66o6HYE6.exeString decryptor: KeyDataBlob
                      Source: Ru66o6HYE6.exeString decryptor: AES
                      Source: Ru66o6HYE6.exeString decryptor: Microsoft Primitive Provider
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptDecrypt() (get size) failed with status code: {0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptDecrypt(): authentication tag mismatch
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptDecrypt() failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptImportKey() failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: BCrypt.BCryptGetProperty() failed with status code:{0}
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Outlook | =====URL:
                      Source: Ru66o6HYE6.exeString decryptor: E-Mail:
                      Source: Ru66o6HYE6.exeString decryptor: K-Password:
                      Source: Ru66o6HYE6.exeString decryptor: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                      Source: Ru66o6HYE6.exeString decryptor: IMAP Password
                      Source: Ru66o6HYE6.exeString decryptor: POP3 Password
                      Source: Ru66o6HYE6.exeString decryptor: HTTP Password
                      Source: Ru66o6HYE6.exeString decryptor: SMTP Password
                      Source: Ru66o6HYE6.exeString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Ru66o6HYE6.exeString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Ru66o6HYE6.exeString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                      Source: Ru66o6HYE6.exeString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Ru66o6HYE6.exeString decryptor: Email
                      Source: Ru66o6HYE6.exeString decryptor: GetBytes
                      Source: Ru66o6HYE6.exeString decryptor: SMTP Server
                      Source: Ru66o6HYE6.exeString decryptor: Nothing
                      Source: Ru66o6HYE6.exeString decryptor:
                      Source: Ru66o6HYE6.exeString decryptor: Outlook
                      Source: Ru66o6HYE6.exeString decryptor: Foxmail
                      Source: Ru66o6HYE6.exeString decryptor: SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command
                      Source: Ru66o6HYE6.exeString decryptor: Foxmail.exe
                      Source: Ru66o6HYE6.exeString decryptor: "
                      Source: Ru66o6HYE6.exeString decryptor: Storage\
                      Source: Ru66o6HYE6.exeString decryptor: \
                      Source: Ru66o6HYE6.exeString decryptor: \Accounts\Account.rec0
                      Source: Ru66o6HYE6.exeString decryptor: Account
                      Source: Ru66o6HYE6.exeString decryptor: POP3Account
                      Source: Ru66o6HYE6.exeString decryptor: Password
                      Source: Ru66o6HYE6.exeString decryptor: POP3Password
                      Source: Ru66o6HYE6.exeString decryptor: !
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Foxmail | =====
                      Source: Ru66o6HYE6.exeString decryptor: E-Mail: {0}
                      Source: Ru66o6HYE6.exeString decryptor: K-Password: {0}
                      Source: Ru66o6HYE6.exeString decryptor: 5A
                      Source: Ru66o6HYE6.exeString decryptor: 71
                      Source: Ru66o6HYE6.exeString decryptor: v10
                      Source: Ru66o6HYE6.exeString decryptor: \Local State
                      Source: Ru66o6HYE6.exeString decryptor: "encrypted_key":"(.*?)"
                      Source: Ru66o6HYE6.exeString decryptor: \MapleStudio\ChromePlus\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: logins
                      Source: Ru66o6HYE6.exeString decryptor: origin_url
                      Source: Ru66o6HYE6.exeString decryptor: username_value
                      Source: Ru66o6HYE6.exeString decryptor: password_value
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Coolnovo Browser | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: K-Username:
                      Source: Ru66o6HYE6.exeString decryptor: \CatalinaGroup\Citrio\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - CitrioBrowser | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Google\Chrome SxS\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Chrome Canary | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Google\Chrome\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Chrome | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \CocCoc\Browser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Coccoc Browser | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Tencent\QQBrowser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: \Vivaldi\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: \Chromium\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Chromium | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \CentBrowser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Cent | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Chedot\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Chedot | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \360Browser\Browser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - 360 English | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \360Chrome\Chrome\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - 360 China | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \BraveSoftware\Brave-Browser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Brave | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Torch\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Torch | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \UCBrowser\User Data_i18n\Default\UC Login Data.18
                      Source: Ru66o6HYE6.exeString decryptor: wow_logins
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - UC | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Blisk\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Blisk | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Epic Privacy Browser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - EpicBrowser | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: \Microsoft\Edge\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Microsoft Edge | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: ataD nigoL\elbatS arepO\erawtfoS arepO\
                      Source: Ru66o6HYE6.exeString decryptor: tad.dnaw\eliforp\arepO\arepO\
                      Source: Ru66o6HYE6.exeString decryptor: ReadTable
                      Source: Ru66o6HYE6.exeString decryptor: snigol
                      Source: Ru66o6HYE6.exeString decryptor: GetRowCount
                      Source: Ru66o6HYE6.exeString decryptor: GetValue
                      Source: Ru66o6HYE6.exeString decryptor: lru_nigiro
                      Source: Ru66o6HYE6.exeString decryptor: eulav_emanresu
                      Source: Ru66o6HYE6.exeString decryptor: eulav_drowssap
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Opera | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                      Source: Ru66o6HYE6.exeString decryptor: APPDATA
                      Source: Ru66o6HYE6.exeString decryptor: \FileZilla\recentservers.xml
                      Source: Ru66o6HYE6.exeString decryptor: Host
                      Source: Ru66o6HYE6.exeString decryptor: User
                      Source: Ru66o6HYE6.exeString decryptor: Pass
                      Source: Ru66o6HYE6.exeString decryptor: Port
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - FileZilla | =====
                      Source: Ru66o6HYE6.exeString decryptor: Host:
                      Source: Ru66o6HYE6.exeString decryptor: Username:
                      Source: Ru66o6HYE6.exeString decryptor: Password:
                      Source: Ru66o6HYE6.exeString decryptor: Port:
                      Source: Ru66o6HYE6.exeString decryptor: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                      Source: Ru66o6HYE6.exeString decryptor: \AVAST Software\Browser\User Data\Default\Login Data
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Avast | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: (
                      Source: Ru66o6HYE6.exeString decryptor: UNIQUE
                      Source: Ru66o6HYE6.exeString decryptor: table
                      Source: Ru66o6HYE6.exeString decryptor: Mozilla\Firefox\Profiles
                      Source: Ru66o6HYE6.exeString decryptor: logins.json
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - FireFox | =====Host:
                      Source: Ru66o6HYE6.exeString decryptor: Thunderbird\Profiles\
                      Source: Ru66o6HYE6.exeString decryptor: ===== | Recovered - Chrome | =====Found From: ThunderbirdHost:
                      Source: Ru66o6HYE6.exeString decryptor: NSS_Shutdown
                      Source: Ru66o6HYE6.exeString decryptor: PROGRAMFILES
                      Source: Ru66o6HYE6.exeString decryptor: \Mozilla Thunderbird\
                      Source: Ru66o6HYE6.exeString decryptor: \Mozilla Firefox\
                      Source: Ru66o6HYE6.exeString decryptor: \mozglue.dll
                      Source: Ru66o6HYE6.exeString decryptor: \nss3.dll
                      Source: Ru66o6HYE6.exeString decryptor: NSS_Init
                      Source: Ru66o6HYE6.exeString decryptor: PK11SDR_Decrypt
                      Source: Ru66o6HYE6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 4x nop then jmp 00007FF9A6ED3813h0_2_00007FF9A6ED2BCC
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 4x nop then jmp 00007FF9A6ED2AC5h0_2_00007FF9A6ED201D
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 4x nop then jmp 00007FF9A6ED404Dh0_2_00007FF9A6ED3D5A
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 4x nop then jmp 00007FF9A6ED464Dh0_2_00007FF9A6ED425D
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 4x nop then jmp 00007FF9A6ED464Dh0_2_00007FF9A6ED455B

                      Networking

                      barindex
                      Source: Yara matchFile source: Ru66o6HYE6.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Ru66o6HYE6.exeString found in binary or memory: http://checkip.dyndns.org/q
                      Source: Ru66o6HYE6.exeString found in binary or memory: https://api.telegram.org/bot

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: Ru66o6HYE6.exe, KrakenStub/KrakenSteak.cs.Net Code: TakeScreenshot
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs.Net Code: TakeScreenshot

                      System Summary

                      barindex
                      Source: Ru66o6HYE6.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: Ru66o6HYE6.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Ru66o6HYE6.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Ru66o6HYE6.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: Ru66o6HYE6.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Ru66o6HYE6.exe PID: 6708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Ru66o6HYE6.exe, 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKrakenStub.exe6 vs Ru66o6HYE6.exe
                      Source: Ru66o6HYE6.exe, 00000000.00000002.661915249.000000000085D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ru66o6HYE6.exe
                      Source: Ru66o6HYE6.exeBinary or memory string: OriginalFilenameKrakenStub.exe6 vs Ru66o6HYE6.exe
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6ED201D0_2_00007FF9A6ED201D
                      Source: Ru66o6HYE6.exeReversingLabs: Detection: 51%
                      Source: Ru66o6HYE6.exeVirustotal: Detection: 68%
                      Source: Ru66o6HYE6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Ru66o6HYE6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/0
                      Source: Ru66o6HYE6.exe, KrakenStub/KrakenDumpedList.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: Ru66o6HYE6.exe, KrakenStub/KrakenSteak.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, KrakenStub/KrakenDumpedList.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, KrakenStub/KrakenSteak.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: Ru66o6HYE6.exe, 00000000.00000002.662388374.00000000026C2000.00000004.00000800.00020000.00000000.sdmp, Ru66o6HYE6.exe, 00000000.00000002.664019647.00000000126C1000.00000004.00000800.00020000.00000000.sdmp, Ru66o6HYE6.exe, 00000000.00000002.662388374.00000000026B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Ru66o6HYE6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Ru66o6HYE6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6ED4E22 push edx; retf 0_2_00007FF9A6ED4F49
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6ED5CBD pushfd ; retf 0_2_00007FF9A6ED5CC1
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6ED4CA0 push ebx; retf 0_2_00007FF9A6ED4CA1
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6ED559B push esp; retf 0_2_00007FF9A6ED559C
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeCode function: 0_2_00007FF9A6EDA132 push 00000008h; retf 0_2_00007FF9A6EDA134
                      Source: Ru66o6HYE6.exeStatic PE information: 0xE29D6504 [Sat Jun 24 05:37:08 2090 UTC]
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess information queried: ProcessInformationJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Ru66o6HYE6.exe, KrakenStub/KrakenSteak.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: Ru66o6HYE6.exe, KrakenStub/FFDecryptor.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, KrakenStub/KrakenSteak.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, KrakenStub/FFDecryptor.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeQueries volume information: C:\Users\user\Desktop\Ru66o6HYE6.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: Ru66o6HYE6.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ru66o6HYE6.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Ru66o6HYE6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: Ru66o6HYE6.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ru66o6HYE6.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: Ru66o6HYE6.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Ru66o6HYE6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.393140910.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ru66o6HYE6.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Native API
                      Path InterceptionPath Interception1
                      Disable or Modify Tools
                      2
                      OS Credential Dumping
                      1
                      System Time Discovery
                      Remote Services1
                      Screen Capture
                      Exfiltration Over Other Network Medium1
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Deobfuscate/Decode Files or Information
                      LSASS Memory1
                      Process Discovery
                      Remote Desktop Protocol1
                      Email Collection
                      Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information
                      Security Account Manager13
                      System Information Discovery
                      SMB/Windows Admin Shares11
                      Archive Collected Data
                      Automated E