Edit tour

Windows Analysis Report
SOA CONTAINER LINE Oct 24.exe

Overview

General Information

Sample name:	SOA CONTAINER LINE Oct 24.exe
Analysis ID:	1557907
MD5:	022751194e17f47b1651de3600f08dc1
SHA1:	c6c5b6f8dfc9163a51cd983662a2afdbbce69eb3
SHA256:	cde7e6227b12f407f02e9dfcd2025e6716248f5c8ffc93dd8c00cc8e14ee63ed
Tags:	exeuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA CONTAINER LINE Oct 24.exe (PID: 5368 cmdline: "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe" MD5: 022751194E17F47B1651DE3600F08DC1)

SOA CONTAINER LINE Oct 24.exe (PID: 356 cmdline: "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe" MD5: 022751194E17F47B1651DE3600F08DC1)

WerFault.exe (PID: 6288 cmdline: C:\Windows\system32\WerFault.exe -u -p 356 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x154fc:$a1: get_encryptedPassword 0x35f3c:$a1: get_encryptedPassword 0x157e8:$a2: get_encryptedUsername 0x36228:$a2: get_encryptedUsername 0x15308:$a3: get_timePasswordChanged 0x35d48:$a3: get_timePasswordChanged 0x15403:$a4: get_passwordField 0x35e43:$a4: get_passwordField 0x15512:$a5: set_encryptedPassword 0x35f52:$a5: set_encryptedPassword 0x16bad:$a7: get_logins 0x375ed:$a7: get_logins 0x16b10:$a10: KeyLoggerEventArgs 0x37550:$a10: KeyLoggerEventArgs 0x1677b:$a11: KeyLoggerEventArgsEventHandler 0x371bb:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a4c0:$x1: $%SMTPDV$ 0x3af00:$x1: $%SMTPDV$ 0x18ea4:$x2: $#TheHashHere%& 0x398e4:$x2: $#TheHashHere%& 0x1a468:$x3: %FTPDV$ 0x3aea8:$x3: %FTPDV$ 0x18e44:$x4: $%TelegramDv$ 0x39884:$x4: $%TelegramDv$ 0x1677b:$x5: KeyLoggerEventArgs 0x16b10:$x5: KeyLoggerEventArgs 0x371bb:$x5: KeyLoggerEventArgs 0x37550:$x5: KeyLoggerEventArgs 0x1a48c:$m2: Clipboard Logs ID 0x1a6ca:$m2: Screenshot Logs ID 0x1a7da:$m2: keystroke Logs ID 0x3aecc:$m2: Clipboard Logs ID 0x3b10a:$m2: Screenshot Logs ID 0x3b21a:$m2: keystroke Logs ID 0x1aab4:$m3: SnakePW 0x3b4f4:$m3: SnakePW 0x1a6a2:$m4: \SnakeKeylogger\
Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54e60:$a1: get_encryptedPassword 0x55142:$a2: get_encryptedUsername 0x54c76:$a3: get_timePasswordChanged 0x54d71:$a4: get_passwordField 0x54e76:$a5: set_encryptedPassword 0x57356:$a7: get_logins 0x572b9:$a10: KeyLoggerEventArgs 0x56f24:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x56f24:$x5: KeyLoggerEventArgs 0x572b9:$x5: KeyLoggerEventArgs 0x5788f:$x5: KeyLoggerEventArgs 0x57bf0:$x5: KeyLoggerEventArgs 0x594e8:$m2: Clipboard Logs ID 0x595ee:$m2: Screenshot Logs ID 0x59644:$m2: keystroke Logs ID 0x59779:$m3: SnakePW 0x595da:$m4: \SnakeKeylogger\
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c84:$a1: get_encryptedPassword 0x12f70:$a2: get_encryptedUsername 0x12a90:$a3: get_timePasswordChanged 0x12b8b:$a4: get_passwordField 0x12c9a:$a5: set_encryptedPassword 0x14335:$a7: get_logins 0x14298:$a10: KeyLoggerEventArgs 0x13f03:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19830:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c63:$a4: \Orbitum\User Data\Default\Login Data 0x1aca2:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1386f:$s1: UnHook 0x13876:$s2: SetHook 0x1387e:$s3: CallNextHook 0x1388b:$s4: _hook
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c48:$x1: $%SMTPDV$ 0x1662c:$x2: $#TheHashHere%& 0x17bf0:$x3: %FTPDV$ 0x165cc:$x4: $%TelegramDv$ 0x13f03:$x5: KeyLoggerEventArgs 0x14298:$x5: KeyLoggerEventArgs 0x17c14:$m2: Clipboard Logs ID 0x17e52:$m2: Screenshot Logs ID 0x17f62:$m2: keystroke Logs ID 0x1823c:$m3: SnakePW 0x17e2a:$m4: \SnakeKeylogger\
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c84:$a1: get_encryptedPassword 0x12f70:$a2: get_encryptedUsername 0x12a90:$a3: get_timePasswordChanged 0x12b8b:$a4: get_passwordField 0x12c9a:$a5: set_encryptedPassword 0x14335:$a7: get_logins 0x14298:$a10: KeyLoggerEventArgs 0x13f03:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19830:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c63:$a4: \Orbitum\User Data\Default\Login Data 0x1aca2:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1386f:$s1: UnHook 0x13876:$s2: SetHook 0x1387e:$s3: CallNextHook 0x1388b:$s4: _hook
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c48:$x1: $%SMTPDV$ 0x1662c:$x2: $#TheHashHere%& 0x17bf0:$x3: %FTPDV$ 0x165cc:$x4: $%TelegramDv$ 0x13f03:$x5: KeyLoggerEventArgs 0x14298:$x5: KeyLoggerEventArgs 0x17c14:$m2: Clipboard Logs ID 0x17e52:$m2: Screenshot Logs ID 0x17f62:$m2: keystroke Logs ID 0x1823c:$m3: SnakePW 0x17e2a:$m4: \SnakeKeylogger\
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a84:$a1: get_encryptedPassword 0x14d70:$a2: get_encryptedUsername 0x14890:$a3: get_timePasswordChanged 0x1498b:$a4: get_passwordField 0x14a9a:$a5: set_encryptedPassword 0x16135:$a7: get_logins 0x16098:$a10: KeyLoggerEventArgs 0x15d03:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b630:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba63:$a4: \Orbitum\User Data\Default\Login Data 0x1caa2:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1566f:$s1: UnHook 0x15676:$s2: SetHook 0x1567e:$s3: CallNextHook 0x1568b:$s4: _hook
0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a48:$x1: $%SMTPDV$ 0x1842c:$x2: $#TheHashHere%& 0x199f0:$x3: %FTPDV$ 0x183cc:$x4: $%TelegramDv$ 0x15d03:$x5: KeyLoggerEventArgs 0x16098:$x5: KeyLoggerEventArgs 0x19a14:$m2: Clipboard Logs ID 0x19c52:$m2: Screenshot Logs ID 0x19d62:$m2: keystroke Logs ID 0x1a03c:$m3: SnakePW 0x19c2a:$m4: \SnakeKeylogger\
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a84:$a1: get_encryptedPassword 0x354c4:$a1: get_encryptedPassword 0x14d70:$a2: get_encryptedUsername 0x357b0:$a2: get_encryptedUsername 0x14890:$a3: get_timePasswordChanged 0x352d0:$a3: get_timePasswordChanged 0x1498b:$a4: get_passwordField 0x353cb:$a4: get_passwordField 0x14a9a:$a5: set_encryptedPassword 0x354da:$a5: set_encryptedPassword 0x16135:$a7: get_logins 0x36b75:$a7: get_logins 0x16098:$a10: KeyLoggerEventArgs 0x36ad8:$a10: KeyLoggerEventArgs 0x15d03:$a11: KeyLoggerEventArgsEventHandler 0x36743:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce3e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b630:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c070:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba63:$a4: \Orbitum\User Data\Default\Login Data 0x3c4a3:$a4: \Orbitum\User Data\Default\Login Data 0x1caa2:$a5: \Kometa\User Data\Default\Login Data 0x3d4e2:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1566f:$s1: UnHook 0x360af:$s1: UnHook 0x15676:$s2: SetHook 0x360b6:$s2: SetHook 0x1567e:$s3: CallNextHook 0x360be:$s3: CallNextHook 0x1568b:$s4: _hook 0x360cb:$s4: _hook
0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a48:$x1: $%SMTPDV$ 0x3a488:$x1: $%SMTPDV$ 0x1842c:$x2: $#TheHashHere%& 0x38e6c:$x2: $#TheHashHere%& 0x199f0:$x3: %FTPDV$ 0x3a430:$x3: %FTPDV$ 0x183cc:$x4: $%TelegramDv$ 0x38e0c:$x4: $%TelegramDv$ 0x15d03:$x5: KeyLoggerEventArgs 0x16098:$x5: KeyLoggerEventArgs 0x36743:$x5: KeyLoggerEventArgs 0x36ad8:$x5: KeyLoggerEventArgs 0x19a14:$m2: Clipboard Logs ID 0x19c52:$m2: Screenshot Logs ID 0x19d62:$m2: keystroke Logs ID 0x3a454:$m2: Clipboard Logs ID 0x3a692:$m2: Screenshot Logs ID 0x3a7a2:$m2: keystroke Logs ID 0x1a03c:$m3: SnakePW 0x3aa7c:$m3: SnakePW 0x19c2a:$m4: \SnakeKeylogger\
Click to see the 21 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: SOA CONTAINER LINE Oct 24.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SOA CONTAINER LINE Oct 24.exe

Joe Sandbox ML: detected

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE

Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SOA CONTAINER LINE Oct 24.exe	String found in binary or memory: https://www.google.com/#q=

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343ED495	0_2_00007FFD343ED495
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343E151B	0_2_00007FFD343E151B
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343ED0B0	0_2_00007FFD343ED0B0
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343E2926	0_2_00007FFD343E2926
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343E3BD9	0_2_00007FFD343E3BD9
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Code function: 0_2_00007FFD343ED0B0	0_2_00007FFD343ED0B0

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 356 -s 12

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: No import functions for PE file found

Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2218067672.0000000003EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000015889000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2218067672.0000000003E61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2218067672.0000000004267000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2228272720.000000001F990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGreenEnergy.dll@ vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2224515206.000000001C9A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs SOA CONTAINER LINE Oct 24.exe
Source: SOA CONTAINER LINE Oct 24.exe	Binary or memory string: OriginalFilenameFLAO.exe8 vs SOA CONTAINER LINE Oct 24.exe

Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, 2-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, ---.cs	Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'

Source: classification engine

Classification label: mal88.troj.evad.winEXE@4/1@0/0

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SOA CONTAINER LINE Oct 24.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess356
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Mutant created: \Sessions\1\BaseNamedObjects\rjhVamkNEUpemgxprqSxOlIwx

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\805da2ed-c4ed-459c-a779-1d3811ff6323

Jump to behavior

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SOA CONTAINER LINE Oct 24.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOA CONTAINER LINE Oct 24.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process created: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 356 -s 12
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process created: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Code function: 0_2_00007FFD343E00BD pushad ; iretd

0_2_00007FFD343E00C1

Source: SOA CONTAINER LINE Oct 24.exe

Static PE information: section name: .text entropy: 7.918358277292282

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Memory allocated: 12F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Memory allocated: 1BE60000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe TID: 3704

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2228272720.000000001F990000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: ENC7I0UVSDQuQZj7JDeJZPZjALyKCjWdNpvPcaFZ8UqhUPTNY8Rlh0w1OxT49Ult8UmiKGRWsDWiD1iEUBcuX0hPLUwZJBpOIaJlUitwL4fKldAxxgGJSUL6mEvxH1UserControlSystem.Windows.FormshsCVCwb2UA9l8mUSNQUITypeEditorSystem.Drawing.DesignSystem.DrawingYReBPDXV9ZNQFgaTdQEnumR8vC8PDbBBg7eqMle6rwRos5tdXsniRDCRpZwkZ7CjEYBuWrDPN6Fglr9qdOOQVQnX6I3TrVMciI1yluHU80kJjAQbO1Z2Q9QxMBHRxeMFTmvOfwZYV8cSqBvLZjB3MXqmoGkxB9SZtXo43aQu1SHHnyT4hEytoZPCWW7cSwBdf1Rk9SQBhUHHbjkVWWD7pPa5mB2Ii1oZOdrX6fL8edAQ7eLSFhPx4EQJSoAS705CixZJl7000hmJsJ195TH9FeSCPGHAuR4x7V5cFW2tfaY4rOpEJWREDUJXU8PPx5e80OtJnMSPrslKbk2fftxH6jjLcjTtli3wjXXcE43HVy5IacF61LdCLdebFhe5bbMLtT2DLnokj98BkdqDsMIjQi55to0OETXFYIbaw5fy7FW16ZJ0PQudaxVmHZFG2wVRp3E8PRIZx6poMCHtafPuugQwxcaDLvN4eMEK8pJHsTEventArgscm00AS61yFChjmxkGQApplicationExceptionWNbwEGobbkCZHARmeXlguTCXRMun3SixujNTMLXPdwmrqDIjaIdwcuQ2RSWSe04pZq2OYyYCA1FxH8SLkefUvKnWlqzQ4C408KDPtUcaykuPvpVbeQgXyxuSrXsNFiArUSW6s8QC2kNf6yTQFormhhSNDA1qCLFtFLafC0pDSeQrpmIfMeXlBDbcVUMgDVCTuOaVJ6v1aeRandomwq32NDa6umrhipQRFhy2dicJTx5i1UJouYwtExpandableObjectConverterSystem.ComponentModelTHjWsNJirNDWByatV5sLOq2du5sZl4uqUUd0VSU9RIv7SWmMhQR6gjEBCaJtfeTEbnbTw3q4<Module>{4489A06A-3CC7-431E-8D99-43F5F3BF98FC}CrreGowaUy2O6TZXGIQuT04yhrKHfTuioi1xMulticastDelegateimniDy3ADXj6Um6rQi<PrivateImplementationDetails>{3737F7A5-4CFF-4A83-A41C-022A0DB5878F}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Thread register set: target process: 356

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Process created: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe "C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Queries volume information: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR

Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e924b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA CONTAINER LINE Oct 24.exe.13e71a78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA CONTAINER LINE Oct 24.exe PID: 5368, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA CONTAINER LINE Oct 24.exe	22%	ReversingLabs	Win32.Trojan.Generic
SOA CONTAINER LINE Oct 24.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://checkip.dyndns.org/q	SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/#q=	SOA CONTAINER LINE Oct 24.exe	false	high
https://reallyfreegeoip.org/xml/	SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557907
Start date and time:	2024-11-18 18:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA CONTAINER LINE Oct 24.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@4/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 54% Number of executed functions: 6 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SOA CONTAINER LINE Oct 24.exe

Simulations

Behavior and APIs

Time	Type	Description
12:18:03	API Interceptor	2x Sleep call for process: SOA CONTAINER LINE Oct 24.exe modified

Process:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.38398350549571
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKjRHmYHKGSI6oPtHTHhAHKKkl+vxp3/elT:iq+wmj0qFGYqGSI6oPtzHeqKksZp/elT
MD5:	AF16B658F6C24EDB649D384BDE4C754C
SHA1:	884A3A8612E63757536133D992E56D2950D33F2C
SHA-256:	E89BF2F4F6D77FE14251084F4121B79E34820321B5471E0649240CE6D598B832
SHA-512:	D88025C14ACE963411612F4456E1001D5947CD84927D6E906DAB56806D20AD3F176122B7E9F32C77846EA3B238642D892C5F8D722204AF3C387598EBDF9737FD
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neu

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.912335817097297
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	SOA CONTAINER LINE Oct 24.exe
File size:	702'976 bytes
MD5:	022751194e17f47b1651de3600f08dc1
SHA1:	c6c5b6f8dfc9163a51cd983662a2afdbbce69eb3
SHA256:	cde7e6227b12f407f02e9dfcd2025e6716248f5c8ffc93dd8c00cc8e14ee63ed
SHA512:	c4da34b69757201fc2567dacdfef26219839f9bef36d6b16c808077b0a4f9f01fb6cd498222f5704bea48aff3a0cc8e57ba3028717783211a223f091c391f854
SSDEEP:	12288:KbQ0AlSGvCpQTXKGHILLMh9xm6wk6qHV4p4nxupPXYU8TQqUq4EsKSsm9:6oBxXKGWMVm6h6wGp4noNFqhAs+
TLSH:	56E412B917651726CABFAEF3263633D84375DB8768A1DB5D0AC490EC6783B4145133C2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;g.........."...0.................. .....@..... ....................................@...@......@............... .....

File Icon


Icon Hash:	0595150b64f0390f

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B1007 [Mon Nov 18 09:59:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa9b54	0xa9c00	2fe7ea2fe319d83db725c7403ed91242	False	0.9177760263254786	data	7.918358277292282	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x1ab8	0x1c00	a64707944b78b75c63b79bbe79e7a9aa	False	0.8045479910714286	data	7.217970328166368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac100	0x1439	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9592428047131544
RT_GROUP_ICON	0xad54c	0x14	data	1.05
RT_VERSION	0xad570	0x348	data	0.43214285714285716
RT_MANIFEST	0xad8c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Target ID:	0
Start time:	12:18:02
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Imagebase:	0xa20000
File size:	702'976 bytes
MD5 hash:	022751194E17F47B1651DE3600F08DC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:18:04
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Imagebase:	0x9f0000
File size:	702'976 bytes
MD5 hash:	022751194E17F47B1651DE3600F08DC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:18:05
Start date:	18/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 356 -s 12
Imagebase:	0x7ff7f5a20000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.1%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD343E3BD9 Relevance: 3.1, Strings: 2, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`^-4, xrefs: 00007FFD343E3D94
{ N_^, xrefs: 00007FFD343E3FF4

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID:
String ID: `^-4${ N_^
API String ID: 0-3902655902
Opcode ID: 43e29cd3bbdf88126a500e010e9e36d993682b3a24b0887ce08088e861ba9d6f
Instruction ID: 44f3ccd63a456b6e788385864d68079c6db03e608817ed5961af440aae39dadb
Opcode Fuzzy Hash: 43e29cd3bbdf88126a500e010e9e36d993682b3a24b0887ce08088e861ba9d6f
Instruction Fuzzy Hash: D512153170DB494FE759FB2884A567A77D1EF9A300F1805BED18EC7293DD39A8828741

Function 00007FFD343ED495 Relevance: 3.0, Strings: 2, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2!,4, xrefs: 00007FFD343ED913
2!,4, xrefs: 00007FFD343EDAF0

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID:
String ID: 2!,4$2!,4
API String ID: 0-193823299
Opcode ID: 97c9d4a51f3da044cdb4f84188502e0e249a983373524229d14ad6031ae4eeda
Instruction ID: 4c6db28a58c252eaa7cf14530f08fb28d3e7df436d3ae038276034ee6f589b49
Opcode Fuzzy Hash: 97c9d4a51f3da044cdb4f84188502e0e249a983373524229d14ad6031ae4eeda
Instruction Fuzzy Hash: 4B02086294E6874FE726A76888612B63FA0EF53314F0C42FBC189CB1D3EA2C544A9751

Function 00007FFD343E2926 Relevance: 1.7, Instructions: 1734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27590b86e71346d4622feb15c55b78583c9f81cc05fa0048017ec73aa821992
Instruction ID: 8322f583c19075d6d29801db8051c88e56709ffc9398d5f58375daadfd321caf
Opcode Fuzzy Hash: c27590b86e71346d4622feb15c55b78583c9f81cc05fa0048017ec73aa821992
Instruction Fuzzy Hash: C4E2D67160DB458FD795EB28C0A57A677E1FF9A300F1445BDD08EC72A2DE38A886CB41

Function 00007FFD343E151B Relevance: 1.6, Strings: 1, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>4, xrefs: 00007FFD343E15E9

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID:
String ID: >4
API String ID: 0-3923709113
Opcode ID: 3f3bd343a11938f6de2fefc2b40196871c240efb85446996254bf05e82edf54b
Instruction ID: d5729975f8e8db3c551433f8cf4df4a05e4cd1b91ca3ec596312667194c0b013
Opcode Fuzzy Hash: 3f3bd343a11938f6de2fefc2b40196871c240efb85446996254bf05e82edf54b
Instruction Fuzzy Hash: A6A16823B0EA990FE766B76C9CB61E77FA0EF8332570801BBD189C7183DD1858468391

Function 00007FFD343ED0B0 Relevance: .6, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff14374e5e8de90897e96ccf3c9378be50bbe0e9ff089f461b758bf682963d
Instruction ID: 56a31ba4c62525971a1514a39d08dc75f64eb470b28f0c376b56f13d350f70fe
Opcode Fuzzy Hash: 21ff14374e5e8de90897e96ccf3c9378be50bbe0e9ff089f461b758bf682963d
Instruction Fuzzy Hash: DE12E062A4E3C25FE317A77448A51A63FA0DF53264B1D01FBD4C9CB0E3D96C6886D362

Function 00007FFD343FD48C Relevance: 1.9, APIs: 1, Instructions: 380
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFD343FD7BE

Memory Dump Source

Source File: 00000000.00000002.2229005555.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343e0000_SOA CONTAINER LINE Oct 24.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a960b3f4f25502ffbf6a867ce7372876a386602d25adb761838f772cd0f5ba9f
Instruction ID: 0b17625ec0161615fcfdc92129e0d72bc93ed1fba1638af21d988e5fce7bc6d1
Opcode Fuzzy Hash: a960b3f4f25502ffbf6a867ce7372876a386602d25adb761838f772cd0f5ba9f
Instruction Fuzzy Hash: F3C1A431618A8D8FEB64EF28C8597F977D0FF59310F10422EE84EC7291DB74A5458B82

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA CONTAINER LINE Oct 24.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SOA CONTAINER LINE Oct 24.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SOA CONTAINER LINE Oct 24.exePID: 5368, Parent PID: 4004

General

Windows Analysis Report
SOA CONTAINER LINE Oct 24.exe

Function 00007FFD343E3BD9 Relevance: 3.1, Strings: 2, Instructions: 640
COMMON

Function 00007FFD343ED495 Relevance: 3.0, Strings: 2, Instructions: 539
COMMON

Function 00007FFD343E151B Relevance: 1.6, Strings: 1, Instructions: 359
COMMON

Function 00007FFD343ED0B0 Relevance: .6, Instructions: 607
COMMON

Function 00007FFD343FD48C Relevance: 1.9, APIs: 1, Instructions: 380
processCOMMON