Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New shipment AWB NO - 09804480383.exe

Overview

General Information

Sample name:New shipment AWB NO - 09804480383.exe
Analysis ID:1562198
MD5:9cc05f64e356b945babe74affd290f68
SHA1:a68db5877b42bfc24c6772f19e168fd7fb50a2c1
SHA256:252e7708de6bd7a39023a8a45d04bf5beddde51eeddc5782465b00c115d3a98e
Tags:exeuser-cocaman
Infos:

Detection

Snake Keylogger
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New shipment AWB NO - 09804480383.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe" MD5: 9CC05F64E356B945BABE74AFFD290F68)
    • New shipment AWB NO - 09804480383.exe (PID: 2012 cmdline: "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe" MD5: 9CC05F64E356B945BABE74AFFD290F68)
      • WerFault.exe (PID: 3460 cmdline: C:\Windows\system32\WerFault.exe -u -p 2012 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1b6b44:$a1: get_encryptedPassword
      • 0x1d7584:$a1: get_encryptedPassword
      • 0x1f7dbc:$a1: get_encryptedPassword
      • 0x1b6e30:$a2: get_encryptedUsername
      • 0x1d7870:$a2: get_encryptedUsername
      • 0x1f80a8:$a2: get_encryptedUsername
      • 0x1b6950:$a3: get_timePasswordChanged
      • 0x1d7390:$a3: get_timePasswordChanged
      • 0x1f7bc8:$a3: get_timePasswordChanged
      • 0x1b6a4b:$a4: get_passwordField
      • 0x1d748b:$a4: get_passwordField
      • 0x1f7cc3:$a4: get_passwordField
      • 0x1b6b5a:$a5: set_encryptedPassword
      • 0x1d759a:$a5: set_encryptedPassword
      • 0x1f7dd2:$a5: set_encryptedPassword
      • 0x1b81f5:$a7: get_logins
      • 0x1d8c35:$a7: get_logins
      • 0x1f946d:$a7: get_logins
      • 0x1b8158:$a10: KeyLoggerEventArgs
      • 0x1d8b98:$a10: KeyLoggerEventArgs
      • 0x1f93d0:$a10: KeyLoggerEventArgs
      00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x1bbb08:$x1: $%SMTPDV$
      • 0x1dc548:$x1: $%SMTPDV$
      • 0x1fcd80:$x1: $%SMTPDV$
      • 0x1ba4ec:$x2: $#TheHashHere%&
      • 0x1daf2c:$x2: $#TheHashHere%&
      • 0x1fb764:$x2: $#TheHashHere%&
      • 0x1bbab0:$x3: %FTPDV$
      • 0x1dc4f0:$x3: %FTPDV$
      • 0x1fcd28:$x3: %FTPDV$
      • 0x1ba48c:$x4: $%TelegramDv$
      • 0x1daecc:$x4: $%TelegramDv$
      • 0x1fb704:$x4: $%TelegramDv$
      • 0x1b7dc3:$x5: KeyLoggerEventArgs
      • 0x1b8158:$x5: KeyLoggerEventArgs
      • 0x1d8803:$x5: KeyLoggerEventArgs
      • 0x1d8b98:$x5: KeyLoggerEventArgs
      • 0x1f903b:$x5: KeyLoggerEventArgs
      • 0x1f93d0:$x5: KeyLoggerEventArgs
      • 0x1bbad4:$m2: Clipboard Logs ID
      • 0x1bbd12:$m2: Screenshot Logs ID
      • 0x1bbe22:$m2: keystroke Logs ID
      Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12c84:$a1: get_encryptedPassword
            • 0x12f70:$a2: get_encryptedUsername
            • 0x12a90:$a3: get_timePasswordChanged
            • 0x12b8b:$a4: get_passwordField
            • 0x12c9a:$a5: set_encryptedPassword
            • 0x14335:$a7: get_logins
            • 0x14298:$a10: KeyLoggerEventArgs
            • 0x13f03:$a11: KeyLoggerEventArgsEventHandler
            0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a5fe:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19830:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19c63:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1aca2:$a5: \Kometa\User Data\Default\Login Data
            0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x1386f:$s1: UnHook
            • 0x13876:$s2: SetHook
            • 0x1387e:$s3: CallNextHook
            • 0x1388b:$s4: _hook
            Click to see the 21 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: New shipment AWB NO - 09804480383.exeReversingLabs: Detection: 28%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for sample
            Source: New shipment AWB NO - 09804480383.exeJoe Sandbox ML: detected
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ZEcP.pdbSHA256i source: New shipment AWB NO - 09804480383.exe
            Source: Binary string: ZEcP.pdb source: New shipment AWB NO - 09804480383.exe

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPE
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: New shipment AWB NO - 09804480383.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeCode function: 0_2_00007FFD345691180_2_00007FFD34569118
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeCode function: 0_2_00007FFD345613880_2_00007FFD34561388
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeCode function: 0_2_00007FFD3456B7F90_2_00007FFD3456B7F9
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2012 -s 12
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: No import functions for PE file found
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000000.2105943659.00000000008A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZEcP.exe@ vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2151639003.0000000003ACC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2151639003.0000000003A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2151639003.0000000003AE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2155892347.000000001DF40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exe, 00000000.00000002.2156016920.000000001E0E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGreenEnergy.dll@ vs New shipment AWB NO - 09804480383.exe
            Source: New shipment AWB NO - 09804480383.exeBinary or memory string: OriginalFilenameZEcP.exe@ vs New shipment AWB NO - 09804480383.exe
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, 2-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, ---.csBase64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
            Source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, ---.csBase64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
            Source: classification engineClassification label: mal92.troj.evad.winEXE@4/1@0/0
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New shipment AWB NO - 09804480383.exe.logJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2012
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\5ad194e3-0cf3-4158-b813-a317b73e3a41Jump to behavior
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: New shipment AWB NO - 09804480383.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: New shipment AWB NO - 09804480383.exeReversingLabs: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess created: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2012 -s 12
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess created: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ZEcP.pdbSHA256i source: New shipment AWB NO - 09804480383.exe
            Source: Binary string: ZEcP.pdb source: New shipment AWB NO - 09804480383.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: New shipment AWB NO - 09804480383.exe, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: 0xC5438A5D [Thu Nov 15 20:04:45 2074 UTC]
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeCode function: 0_2_00007FFD345600BD pushad ; iretd 0_2_00007FFD345600C1
            Source: New shipment AWB NO - 09804480383.exeStatic PE information: section name: .text entropy: 7.935227027452769
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeFile created: \new shipment awb no - 09804480383.exe
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeFile created: \new shipment awb no - 09804480383.exe
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeFile created: \new shipment awb no - 09804480383.exeJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeMemory allocated: 1B70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeMemory allocated: 1BA90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe TID: 5852Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeThread register set: target process: 2012Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeProcess created: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe "C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeQueries volume information: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1567bb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.New shipment AWB NO - 09804480383.exe.1565b0c0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: New shipment AWB NO - 09804480383.exe PID: 6976, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory41
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New shipment AWB NO - 09804480383.exe29%ReversingLabs
            New shipment AWB NO - 09804480383.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://checkip.dyndns.org/qNew shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://tempuri.org/DataSet1.xsdNew shipment AWB NO - 09804480383.exefalse
                		high
                https://reallyfreegeoip.org/xml/New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1562198
                  Start date and time:2024-11-25 10:36:04 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 17s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:New shipment AWB NO - 09804480383.exe
                  Detection:MAL
                  Classification:mal92.troj.evad.winEXE@4/1@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 51%
                  • Number of executed functions: 4
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • VT rate limit hit for: New shipment AWB NO - 09804480383.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  04:36:53API Interceptor1x Sleep call for process: New shipment AWB NO - 09804480383.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New shipment AWB NO - 09804480383.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):1510
                  Entropy (8bit):5.380493107040482
                  Encrypted:false
                  SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                  MD5:3C7E5782E6C100B90932CBDED08ADE42
                  SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                  SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                  SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                  Static File Info

                  General

                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.928156581458441
                  TrID:
                  • Win64 Executable GUI Net Framework (217006/5) 49.88%
                  • Win64 Executable GUI (202006/5) 46.43%
                  • Win64 Executable (generic) (12005/4) 2.76%
                  • Generic Win/DOS Executable (2004/3) 0.46%
                  • DOS Executable Generic (2002/1) 0.46%
                  File name:New shipment AWB NO - 09804480383.exe
                  File size:653'824 bytes
                  MD5:9cc05f64e356b945babe74affd290f68
                  SHA1:a68db5877b42bfc24c6772f19e168fd7fb50a2c1
                  SHA256:252e7708de6bd7a39023a8a45d04bf5beddde51eeddc5782465b00c115d3a98e
                  SHA512:6be8949d64562a86ed6d09e11d7a5ce89786b4d0c375bde549c2e715fdf67eeeeb5fc19c9d38c34883c5f0193bd06de1e61ddeb3a321348e0be90c8677801077
                  SSDEEP:12288:XaoRh3o4DPX9ule6XSP8a3NcVuf0Kcs6sZO42ixZEVcD3476jJDQT:XVRh3oCshXS8a3NyusKcYj2ixGVc076m
                  TLSH:D5D41212367C5F63C67D03F6AA29E34403F351139276F6980EC674EA1A53F128A52FA7
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].C..........."...0.................. .....@..... .......................@............@...@......@............... .....

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x140000000
                  Entrypoint Section:
                  Digitally signed:false
                  Imagebase:0x140000000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xC5438A5D [Thu Nov 15 20:04:45 2074 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:

                  Entrypoint Preview

                  Instruction
                  dec ebp
                  pop edx
                  nop
                  add byte ptr [ebx], al
                  add byte ptr [eax], al
                  add byte ptr [eax+eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x628.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x9e5500x70.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x9ef9c0x9f000efaee6b22300a2c6c0cc2236f846797aFalse0.9427098688089622data7.935227027452769IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xa20000x6280x80071f9091570a1383d9d991606bfe73793False0.337890625data3.4596349237634496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xa20900x398OpenPGP Public Key0.42282608695652174
                  RT_MANIFEST0xa24380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:36:53
                  Start date:25/11/2024
                  Path:C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
                  Imagebase:0x800000
                  File size:653'824 bytes
                  MD5 hash:9CC05F64E356B945BABE74AFFD290F68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:04:36:57
                  Start date:25/11/2024
                  Path:C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
                  Imagebase:0x160000
                  File size:653'824 bytes
                  MD5 hash:9CC05F64E356B945BABE74AFFD290F68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:6
                  Start time:04:36:57
                  Start date:25/11/2024
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 2012 -s 12
                  Imagebase:0x7ff6131a0000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:13.2%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:50%
                    Total number of Nodes:6
                    Total number of Limit Nodes:0
                    execution_graph 5297 7ffd3456b7f9 5298 7ffd3456b82a 5297->5298 5300 7ffd3456ba72 5298->5300 5301 7ffd3457b75c 5298->5301 5302 7ffd3457b772 CreateProcessA 5301->5302 5304 7ffd3457b9e9 5302->5304 5304->5298

                    Executed Functions

                    Function 00007FFD34569118 Relevance: 3.1, Strings: 2, Instructions: 577COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2156955688.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34560000_New shipment AWB NO - 09804480383.jbxd
                    Similarity
                    • API ID:
                    • String ID: `M`4$pM`4
                    • API String ID: 0-2145051569
                    • Opcode ID: 8a04fafd69f41e8fe78ddb203d67a5db3ab549e17e1b2c43b0de0b90472f01ea
                    • Instruction ID: a8715ec20e68cd9a2df066bf7c747172b266140232273310689363bcedb6a9b5
                    • Opcode Fuzzy Hash: 8a04fafd69f41e8fe78ddb203d67a5db3ab549e17e1b2c43b0de0b90472f01ea
                    • Instruction Fuzzy Hash: 0512BF71E0C5598FDB66DF6898A52E9B7E0FF5A320F0441BAC14CE7292DE3C69858F40
                    Function 00007FFD3456B7F9 Relevance: 3.0, Strings: 2, Instructions: 492COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 119 7ffd3456b7f9-7ffd3456b823 120 7ffd3456b82a-7ffd3456b82e 119->120 121 7ffd3456b830-7ffd3456b847 120->121 122 7ffd3456b84b-7ffd3456b852 call 7ffd3456b5b0 120->122 121->122 125 7ffd3456b864-7ffd3456b86c 122->125 126 7ffd3456b854-7ffd3456b85b 122->126 128 7ffd3456b86e-7ffd3456b878 125->128 127 7ffd3456b85d-7ffd3456b862 126->127 126->128 127->125 129 7ffd3456b88a 128->129 130 7ffd3456b87a-7ffd3456b881 128->130 133 7ffd3456b89c-7ffd3456b89d call 7ffd3457b75c 129->133 134 7ffd3456b88c-7ffd3456b893 129->134 131 7ffd3456b883-7ffd3456b888 130->131 132 7ffd3456b894-7ffd3456b89b 130->132 131->129 132->133 137 7ffd3456b89e-7ffd3456b8a5 133->137 134->132 135 7ffd3456b8a6-7ffd3456b8a7 134->135 138 7ffd3456ba72-7ffd3456baf8 135->138 139 7ffd3456b8a8-7ffd3456b8b8 135->139 137->135 142 7ffd3456bb0e-7ffd3456bb17 138->142 143 7ffd3456bafa-7ffd3456bb17 138->143 139->120 145 7ffd3456bb1f-7ffd3456bb2f 142->145 143->145 146 7ffd3456bb31 145->146 147 7ffd3456bb32-7ffd3456bba7 145->147 146->147 157 7ffd3456bc24-7ffd3456bc2a 147->157 158 7ffd3456bba9-7ffd3456bbb6 147->158 160 7ffd3456bc33-7ffd3456bc48 158->160 161 7ffd3456bbb8-7ffd3456bbc0 158->161 165 7ffd3456bc89-7ffd3456bc92 160->165 166 7ffd3456bc4a-7ffd3456bc56 160->166 163 7ffd3456bbd3-7ffd3456bbde 161->163 164 7ffd3456bbc2-7ffd3456bbcf 161->164 168 7ffd3456bbe2-7ffd3456bc21 163->168 164->168 170 7ffd3456bbd1-7ffd3456bbd2 164->170 172 7ffd3456bca4 165->172 173 7ffd3456bc94-7ffd3456bc9b 165->173 166->172 174 7ffd3456bc58-7ffd3456bc5f 166->174 168->157 170->163 177 7ffd3456bd0b-7ffd3456bd29 172->177 178 7ffd3456bca6-7ffd3456bca7 172->178 175 7ffd3456bc9d-7ffd3456bca1 173->175 176 7ffd3456bcae 173->176 182 7ffd3456bc61-7ffd3456bc64 174->182 179 7ffd3456bcab 175->179 184 7ffd3456bca3 175->184 180 7ffd3456bcb0-7ffd3456bcb8 176->180 181 7ffd3456bd2b-7ffd3456bd39 176->181 177->181 178->179 179->182 188 7ffd3456bccb-7ffd3456bccc 180->188 189 7ffd3456bcba-7ffd3456bcbf 180->189 190 7ffd3456bd49-7ffd3456bd55 181->190 186 7ffd3456bc7e-7ffd3456bc87 182->186 187 7ffd3456bc66-7ffd3456bcaf 182->187 184->172 186->165 195 7ffd3456bcc1-7ffd3456bcca 187->195 198 7ffd3456bcb1-7ffd3456bcb8 187->198 188->190 193 7ffd3456bccd-7ffd3456bcd6 188->193 189->195 196 7ffd3456bd58-7ffd3456bd74 190->196 201 7ffd3456bce9-7ffd3456bcee 193->201 202 7ffd3456bcd8-7ffd3456bcdb 193->202 195->188 200 7ffd3456bd76-7ffd3456bd79 196->200 198->188 198->189 204 7ffd3456bd93-7ffd3456bdc8 call 7ffd34569108 call 7ffd34569118 200->204 205 7ffd3456bd7b-7ffd3456bd91 200->205 201->182 202->196 206 7ffd3456bcdd-7ffd3456bce5 202->206 216 7ffd3456bdd3-7ffd3456bde5 204->216 205->204 208 7ffd3456bce7-7ffd3456bce8 206->208 209 7ffd3456bcf8-7ffd3456bd08 206->209 208->201 216->200
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2156955688.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34560000_New shipment AWB NO - 09804480383.jbxd
                    Similarity
                    • API ID:
                    • String ID: 2!D4$2!D4
                    • API String ID: 0-519070062
                    • Opcode ID: d443a6cd57f42d42a91870e91d4d3a8a5023bcacf95e4640da7078f0276f4591
                    • Instruction ID: 9ada3a49ea52fcb969cf9f168dc76ad9eea6d0222fe05460a35474ef333ce9c6
                    • Opcode Fuzzy Hash: d443a6cd57f42d42a91870e91d4d3a8a5023bcacf95e4640da7078f0276f4591
                    • Instruction Fuzzy Hash: 9FF10561D0D2964FEB2BD72888A16643FB0EF53310F1855BBC189CB1E3EE2C550A8792
                    Function 00007FFD34561388 Relevance: .6, Instructions: 633COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 451 7ffd34561388-7ffd34561484 call 7ffd34560850 call 7ffd34560860 call 7ffd34560870 call 7ffd34560dc8 call 7ffd34560dd8 469 7ffd34561489-7ffd345614fb call 7ffd34560de8 call 7ffd34560df8 451->469 476 7ffd345614fd-7ffd34561502 469->476 477 7ffd3456156c-7ffd34561653 call 7ffd34560dc8 call 7ffd34560dd8 call 7ffd34560de8 call 7ffd34560df8 469->477 476->469 480 7ffd34561504-7ffd3456150b 476->480 492 7ffd345616a9-7ffd34561712 call 7ffd345604d0 call 7ffd345604c0 477->492 493 7ffd34561655-7ffd34561657 477->493 480->477 501 7ffd34561891-7ffd345618b0 492->501 495 7ffd34561662-7ffd345616a8 493->495 495->492 502 7ffd345618b6-7ffd34561902 501->502 503 7ffd34561717-7ffd34561738 501->503 515 7ffd34561904 502->515 516 7ffd34561909-7ffd345619c1 502->516 504 7ffd3456173f-7ffd34561764 503->504 505 7ffd3456173a 503->505 506 7ffd3456176b-7ffd3456177e 504->506 507 7ffd34561766 504->507 505->504 510 7ffd34561780 506->510 511 7ffd34561785-7ffd345617a2 call 7ffd345604d8 506->511 507->506 510->511 517 7ffd345617a4 511->517 518 7ffd345617a9-7ffd345617be 511->518 515->516 537 7ffd345619c7-7ffd345619de 516->537 517->518 519 7ffd345617c0 518->519 520 7ffd345617c5-7ffd345617fa 518->520 519->520 522 7ffd34561804 520->522 523 7ffd345617fc-7ffd34561802 520->523 525 7ffd3456180b-7ffd34561833 522->525 523->525 526 7ffd3456183a-7ffd34561850 525->526 527 7ffd34561835 525->527 528 7ffd34561852 526->528 529 7ffd34561857-7ffd34561877 526->529 527->526 528->529 533 7ffd3456187e-7ffd3456188e 529->533 534 7ffd34561879 529->534 533->501 534->533 538 7ffd345619e0 537->538 539 7ffd345619e5-7ffd34561b2e call 7ffd34560e08 537->539 538->539
                    Memory Dump Source
                    • Source File: 00000000.00000002.2156955688.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34560000_New shipment AWB NO - 09804480383.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: baa922380de199c75dc4e682923851a07ac99828eefed2f5448f320a53b6e22e
                    • Instruction ID: c7e85e64914465bd8ede867e434eb2ff0aeed1b966d064a90996572c83812920
                    • Opcode Fuzzy Hash: baa922380de199c75dc4e682923851a07ac99828eefed2f5448f320a53b6e22e
                    • Instruction Fuzzy Hash: A032EB30E18A1D8FDB99EF58C499AA9B7B1FF59304F1001B9D04DE7296CF39A981CB40
                    Function 00007FFD3457B75C Relevance: 1.8, APIs: 1, Instructions: 295processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 218 7ffd3457b75c-7ffd3457b7f4 220 7ffd3457b869-7ffd3457b8a8 218->220 221 7ffd3457b7f6-7ffd3457b815 218->221 224 7ffd3457b8aa-7ffd3457b8d0 220->224 225 7ffd3457b8d6-7ffd3457b8f6 220->225 221->220 226 7ffd3457b817-7ffd3457b821 221->226 224->225 227 7ffd3457b924-7ffd3457b9e7 CreateProcessA 225->227 228 7ffd3457b8f8-7ffd3457b91e 225->228 229 7ffd3457b823-7ffd3457b836 226->229 230 7ffd3457b85b-7ffd3457b863 226->230 231 7ffd3457b9ef-7ffd3457ba68 call 7ffd3457ba84 227->231 232 7ffd3457b9e9 227->232 228->227 233 7ffd3457b83a-7ffd3457b84d 229->233 234 7ffd3457b838 229->234 230->220 240 7ffd3457ba6f-7ffd3457ba83 231->240 241 7ffd3457ba6a 231->241 232->231 233->233 236 7ffd3457b84f-7ffd3457b857 233->236 234->233 236->230 241->240
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2156955688.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34560000_New shipment AWB NO - 09804480383.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 077286ea488cac8a42d7336c1fb385e87249d6087aff1ebed49fb2ab398e668f
                    • Instruction ID: 7b4ceb9ec4adfbb5479c8466ca80b234378df2b185557cdf2a04b4e29b042687
                    • Opcode Fuzzy Hash: 077286ea488cac8a42d7336c1fb385e87249d6087aff1ebed49fb2ab398e668f
                    • Instruction Fuzzy Hash: 3AA13C70A18A8D8FEBB8DF18C894BE877E1FB59305F10412ED84EDB691CB789584CB45