Edit tour
Windows
Analysis Report
z1QuotationSheetVSAA6656776.exe
Overview
General Information
Detection
GuLoader, Snake Keylogger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Obfuscated command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64native
- z1QuotationSheetVSAA6656776.exe (PID: 5544 cmdline:
"C:\Users\ user\Deskt op\z1Quota tionSheetV SAA6656776 .exe" MD5: CFB41760F84E1E70BADE0CA7394D424B) - cmd.exe (PID: 6292 cmdline:
cmd.exe /c set /a "2 50^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3584 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6448 cmdline:
cmd.exe /c set /a "2 44^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6292 cmdline:
cmd.exe /c set /a "2 27^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2588 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2996 cmdline:
cmd.exe /c set /a "2 55^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3112 cmdline:
cmd.exe /c set /a "2 44^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6292 cmdline:
cmd.exe /c set /a "2 53^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7832 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2588 cmdline:
cmd.exe /c set /a "1 30^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3584 cmdline:
cmd.exe /c set /a "1 31^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7832 cmdline:
cmd.exe /c set /a "1 39^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8276 cmdline:
cmd.exe /c set /a "1 39^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8340 cmdline:
cmd.exe /c set /a "2 42^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8396 cmdline:
cmd.exe /c set /a "1 95^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8452 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8512 cmdline:
cmd.exe /c set /a "2 08^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8568 cmdline:
cmd.exe /c set /a "1 97^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8624 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8680 cmdline:
cmd.exe /c set /a "2 47^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8736 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8792 cmdline:
cmd.exe /c set /a "2 21^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8848 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8904 cmdline:
cmd.exe /c set /a "2 40^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8960 cmdline:
cmd.exe /c set /a "1 53^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9016 cmdline:
cmd.exe /c set /a "2 20^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9072 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9128 cmdline:
cmd.exe /c set /a "1 95^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9204 cmdline:
cmd.exe /c set /a "1 33^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8316 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8372 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8436 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8460 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8520 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8572 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8728 cmdline:
cmd.exe /c set /a "2 01^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8784 cmdline:
cmd.exe /c set /a "1 37^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8828 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8832 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8880 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8936 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8992 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9060 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9112 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9172 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8260 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8392 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8448 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8444 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8504 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8540 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8620 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6812 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8568 cmdline:
cmd.exe /c set /a "1 93^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8708 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8768 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8780 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8824 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8888 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8936 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8992 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9060 cmdline:
cmd.exe /c set /a "1 33^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9112 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 9172 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 9204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8260 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8392 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8408 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8472 cmdline:
cmd.exe /c set /a "2 01^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8512 cmdline:
cmd.exe /c set /a "1 37^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8652 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 8660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - z1QuotationSheetVSAA6656776.exe (PID: 5668 cmdline:
"C:\Users\ user\Deskt op\z1Quota tionSheetV SAA6656776 .exe" MD5: CFB41760F84E1E70BADE0CA7394D424B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7488405197:AAH7tXu4zKMAWY-fq5Ygp2Q20mBw5pxUA68/sendMessage?chat_id=1545867115"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
Click to see the 2 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Location Tracking |
---|
Source: | DNS query: |
Source: | Code function: | 131_2_3784BBC8 | |
Source: | Code function: | 131_2_3784C302 | |
Source: | Code function: | 131_2_3784C250 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00406167 | |
Source: | Code function: | 0_2_00405705 | |
Source: | Code function: | 0_2_00402688 | |
Source: | Code function: | 131_2_00406167 | |
Source: | Code function: | 131_2_00405705 | |
Source: | Code function: | 131_2_00402688 |
Source: | Code function: | 131_2_0016F01B | |
Source: | Code function: | 131_2_0016F01B | |
Source: | Code function: | 131_2_0016E530 | |
Source: | Code function: | 131_2_0016EB63 | |
Source: | Code function: | 131_2_0016ED44 | |
Source: | Code function: | 131_2_37841620 | |
Source: | Code function: | 131_2_378411C0 | |
Source: | Code function: | 131_2_3784F700 | |
Source: | Code function: | 131_2_3784FB58 | |
Source: | Code function: | 131_2_3784F2A8 | |
Source: | Code function: | 131_2_3784DEB0 | |
Source: | Code function: | 131_2_3784EE50 | |
Source: | Code function: | 131_2_3784E5A0 | |
Source: | Code function: | 131_2_3784E9F8 | |
Source: | Code function: | 131_2_37840900 | |
Source: | Code function: | 131_2_3784E148 | |
Source: | Code function: | 131_2_37841966 | |
Source: | Code function: | 131_2_37840D60 | |
Source: | Code function: | 131_2_378404A0 | |
Source: | Code function: | 131_2_37840040 | |
Source: | Code function: | 131_2_37B92BB0 | |
Source: | Code function: | 131_2_37B9B168 | |
Source: | Code function: | 131_2_37B99BB0 | |
Source: | Code function: | 131_2_37B911A0 | |
Source: | Code function: | 131_2_37B915F8 | |
Source: | Code function: | 131_2_37B985D0 | |
Source: | Code function: | 131_2_37B99730 | |
Source: | Code function: | 131_2_37B95F18 | |
Source: | Code function: | 131_2_37B9AD10 | |
Source: | Code function: | 131_2_37B95F15 | |
Source: | Code function: | 131_2_37B92300 | |
Source: | Code function: | 131_2_37B98178 | |
Source: | Code function: | 131_2_37B92758 | |
Source: | Code function: | 131_2_37B90D48 | |
Source: | Code function: | 131_2_37B938B8 | |
Source: | Code function: | 131_2_37B9A8B8 | |
Source: | Code function: | 131_2_37B91EA8 | |
Source: | Code function: | 131_2_37B90498 | |
Source: | Code function: | 131_2_37B98E80 | |
Source: | Code function: | 131_2_37B97CF8 | |
Source: | Code function: | 131_2_37B908F0 | |
Source: | Code function: | 131_2_37B992D8 | |
Source: | Code function: | 131_2_37B98A28 | |
Source: | Code function: | 131_2_37B9A008 | |
Source: | Code function: | 131_2_37B93008 | |
Source: | Code function: | 131_2_37B9A460 | |
Source: | Code function: | 131_2_37B93460 | |
Source: | Code function: | 131_2_37B91A50 | |
Source: | Code function: | 131_2_37B90040 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |