Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe

"C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7568
Target ID:	0
Parent PID:	2580
Name:	snake-cleaned_reversed.bak2.exe
Path:	C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe
Commandline:	"C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe"
Size:	124928
MD5:	D9024AFBD347D3060B6453CCE8E4C1B2
Time:	16:22:12
Date:	01/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbd0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://checkip.dyndns.org/

158.101.44.242

http://checkip.dyndns.comd

unknown

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.orgd

unknown

http://reallyfreegeoip.org

unknown

http://checkip.dyndns.orgd

unknown

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

http://checkip.dyndns.org/d

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

158.101.44.242

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	0
Current Path:	C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

158.101.44.242

checkip.dyndns.com

United States

Details

IP:	158.101.44.242
TargetID:	0
Current Path:	C:\Users\user\Desktop\snake-cleaned_reversed.bak2.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\snake-cleaned_reversed_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

BD2000

unkown

page readonly

30A1000

trusted library allocation

page read and write

3274000

trusted library allocation

page read and write

E89000

stack

page read and write

11B5000

heap

page read and write

F87000

stack

page read and write

58AD000

trusted library allocation

page read and write

BD0000

unkown

page readonly

138E000

stack

page read and write

5620000

heap

page read and write

31E5000

trusted library allocation

page read and write

2EDB000

trusted library allocation

page read and write

142D000

trusted library allocation

page execute and read and write

106E000

heap

page read and write

5610000

trusted library allocation

page read and write

5623000

heap

page read and write

2EEE000

trusted library allocation

page read and write

6DE0000

heap

page read and write

40C9000

trusted library allocation

page read and write

1155000

heap

page read and write

6D20000

trusted library allocation

page read and write

2EF1000

trusted library allocation

page read and write

55BD000

stack

page read and write

6B4E000

stack

page read and write

106A000

heap

page read and write

31A5000

trusted library allocation

page read and write

6825000

heap

page read and write

165B000

trusted library allocation

page execute and read and write

31F9000

trusted library allocation

page read and write

6DF0000

trusted library allocation

page execute and read and write

1650000

trusted library allocation

page read and write

3186000

trusted library allocation

page read and write

3238000

trusted library allocation

page read and write

4130000

trusted library allocation

page read and write

319B000

trusted library allocation

page read and write

523D000

stack

page read and write

6790000

heap

page read and write

31ED000

trusted library allocation

page read and write

5890000

trusted library allocation

page execute and read and write

1640000

trusted library allocation

page read and write

3020000

trusted library allocation

page read and write

1413000

trusted library allocation

page execute and read and write

32E6000

trusted library allocation

page read and write

3030000

trusted library allocation

page read and write

16D0000

heap

page read and write

321C000

trusted library allocation

page read and write

58C0000

heap

page execute and read and write

104E000

stack

page read and write

5BCE000

stack

page read and write

3304000

trusted library allocation

page read and write

58B0000

trusted library allocation

page read and write

5BD2000

trusted library allocation

page read and write

3308000

trusted library allocation

page read and write

1430000

heap

page read and write

141D000

trusted library allocation

page execute and read and write

2EE2000

trusted library allocation

page read and write

6D40000

trusted library allocation

page execute and read and write

6D10000

trusted library allocation

page execute and read and write

3201000

trusted library allocation

page read and write

10A3000

heap

page read and write

40A1000

trusted library allocation

page read and write

410C000

trusted library allocation

page read and write

301F000

stack

page read and write

3335000

trusted library allocation

page read and write

112F000

heap

page read and write

2EEA000

trusted library allocation

page read and write

3090000

heap

page execute and read and write

32EC000

trusted library allocation

page read and write

32F6000

trusted library allocation

page read and write

316E000

trusted library allocation

page read and write

3330000

trusted library allocation

page read and write

16BE000

stack

page read and write

16C0000

trusted library allocation

page execute and read and write

3151000

trusted library allocation

page read and write

3266000

trusted library allocation

page read and write

58A0000

trusted library allocation

page read and write

2EC0000

trusted library allocation

page read and write

1414000

trusted library allocation

page read and write

4133000

trusted library allocation

page read and write

319D000

trusted library allocation

page read and write

2ED6000

trusted library allocation

page read and write

32E1000

trusted library allocation

page read and write

1060000

heap

page read and write

31FD000

trusted library allocation

page read and write

1410000

trusted library allocation

page read and write

31F5000

trusted library allocation

page read and write

1087000

heap

page read and write

67EA000

heap

page read and write

56D0000

heap

page read and write

6D50000

trusted library allocation

page read and write

2EFD000

trusted library allocation

page read and write

32FF000

trusted library allocation

page read and write

6BCF000

stack

page read and write

4126000

trusted library allocation

page read and write

69CD000

stack

page read and write

698E000

stack

page read and write

31F1000

trusted library allocation

page read and write

1646000

trusted library allocation

page execute and read and write

2EDE000

trusted library allocation

page read and write

2F10000

heap

page read and write

31AD000

trusted library allocation

page read and write

1000000

heap

page read and write

333B000

trusted library allocation

page read and write

6D30000

trusted library allocation

page execute and read and write

31A9000

trusted library allocation

page read and write

2EBE000

stack

page read and write

2EF6000

trusted library allocation

page read and write

67DA000

heap

page read and write

3257000

trusted library allocation

page read and write

6D0F000

stack

page read and write

5B0E000

stack

page read and write

1652000

trusted library allocation

page read and write

316C000

trusted library allocation

page read and write

2ED0000

trusted library allocation

page read and write

3329000

trusted library allocation

page read and write

3253000

trusted library allocation

page read and write

31B1000

trusted library allocation

page read and write

1655000

trusted library allocation

page execute and read and write

58B5000

trusted library allocation

page read and write

6B8E000

stack

page read and write

1670000

trusted library allocation

page read and write

FF0000

heap

page read and write

7280000

heap

page read and write

164A000

trusted library allocation

page execute and read and write

1642000

trusted library allocation

page read and write

6A0F000

stack

page read and write

6C0E000

stack

page read and write

6D60000

trusted library allocation

page read and write

5BD9000

trusted library allocation

page read and write

3050000

trusted library allocation

page read and write

6A4E000

stack

page read and write

58BB000

trusted library allocation

page read and write

58B7000

trusted library allocation

page read and write

11B0000

heap

page read and write

1657000

trusted library allocation

page execute and read and write

322A000

trusted library allocation

page read and write

5BD0000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

31E9000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

13D0000

heap

page read and write

413C000

trusted library allocation

page read and write

There are 132 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
snake-cleaned_reversed.bak2.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsnake-cleaned_reversed.bak2.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
snake-cleaned_reversed.bak2.exe