Windows Analysis Report
new shipment.exe

Overview

General Information

Sample name: new shipment.exe
Analysis ID: 1520580
MD5: 41e96a8eabf31d7b5abbeb15d5307b40
SHA1: 0c406ef15662e8580a724ef05dfb04d76c222c9c
SHA256: d7ea65fb9c018f20cff23dc97bb8a9a6818e97c333a5485142f2e0210be204e1
Tags: exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat_id": "5007084465", "Version": "4.4"}
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat id": "5007084465", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: new shipment.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: new shipment.exe Joe Sandbox ML: detected
Source: new shipment.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Configuration.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.pdbSystem.Core.ni.dll source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92DB.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdbL0Tw# source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\,( source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: HPHo0C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: new shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: new shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.00000000036C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\new shipment.exe Code function: 0_2_06498C80 0_2_06498C80
Source: C:\Users\user\Desktop\new shipment.exe Code function: 2_2_018939F0 2_2_018939F0
Source: C:\Users\user\Desktop\new shipment.exe Code function: 2_2_01893E09 2_2_01893E09
Source: C:\Users\user\Desktop\new shipment.exe Code function: 2_2_018929EC 2_2_018929EC
One or more processes crash
Source: C:\Users\user\Desktop\new shipment.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528
Sample file is different than original file name gathered from version info
Source: new shipment.exe, 00000000.00000002.2597016395.00000000012BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs new shipment.exe
Source: new shipment.exe, 00000000.00000000.1334745220.0000000000D12000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePvI.exe( vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2600980391.00000000057A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs new shipment.exe
Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
Source: new shipment.exe, 00000002.00000002.1448682843.0000000000444000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
Source: new shipment.exe, 00000002.00000002.1448957285.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs new shipment.exe
Source: new shipment.exe Binary or memory string: OriginalFilenamePvI.exe( vs new shipment.exe
Yara signature match
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.new shipment.exe.57a0000.5.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, mm-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, mm-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, mm-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, mm-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.new shipment.exe.57a0000.5.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, -.cs Base64 encoded string: 'Po2GZWUhvfUeLnbwmmtuvQoyc0qjrFr4WqeP3QHoVwXCKF0sCMsk3YCon1wvapzc'
Source: 0.2.new shipment.exe.420e610.3.raw.unpack, -.cs Base64 encoded string: 'Po2GZWUhvfUeLnbwmmtuvQoyc0qjrFr4WqeP3QHoVwXCKF0sCMsk3YCon1wvapzc'
Source: 0.2.new shipment.exe.4119770.2.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/5@1/1
Source: C:\Users\user\Desktop\new shipment.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1464
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\00284efd-9f10-4bf1-82ef-f829a9110eaa Jump to behavior
Source: new shipment.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: new shipment.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\new shipment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: new shipment.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\new shipment.exe File read: C:\Users\user\Desktop\new shipment.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"
Source: C:\Users\user\Desktop\new shipment.exe Process created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"
Source: C:\Users\user\Desktop\new shipment.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528
Source: C:\Users\user\Desktop\new shipment.exe Process created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe" Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\new shipment.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: new shipment.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: new shipment.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Configuration.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.pdbSystem.Core.ni.dll source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92DB.tmp.dmp.6.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdbL0Tw# source: WER92DB.tmp.dmp.6.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\,( source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER92DB.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
Source: Binary string: HPHo0C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: new shipment.exe, ExportProvider.cs .Net Code: CreateExportFactory
Binary contains a suspicious time stamp
Source: new shipment.exe Static PE information: 0xEA086D61 [Thu Jun 3 16:27:13 2094 UTC]
Source: new shipment.exe Static PE information: section name: .text entropy: 7.274277592919608
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 1630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 50A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 1890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 3610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: 1CA0000 memory reserve | memory write watch Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgura
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\new shipment.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\new shipment.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\new shipment.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\new shipment.exe Process created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Users\user\Desktop\new shipment.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Users\user\Desktop\new shipment.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520580 Sample: new shipment.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 18 checkip.dyndns.org 2->18 20 checkip.dyndns.com 2->20 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 9 other signatures 2->30 8 new shipment.exe 2 2->8         started        signatures3 process4 process5 10 new shipment.exe 15 2 8->10         started        dnsIp6 22 checkip.dyndns.com 132.226.8.169, 49706, 80 UTMEMUS United States 10->22 13 WerFault.exe 19 16 10->13         started        process7 file8 16 C:\ProgramData\Microsoft\...\Report.wer, Unicode 13->16 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown