Windows Analysis Report
order6566546663.exe

Overview

General Information

Sample name: order6566546663.exe
Analysis ID: 1592378
MD5: 71bd2f038e92ae0e3b95a7567511458e
SHA1: 816293b2472e394288fc9c91bdff206ab8ef52e2
SHA256: 13ba4ee3d7accddd8dbce8e4bc4a623e0b7bf30350fe9d58f1c269cd744bb835
Tags: exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: order6566546663.exe Avira: detected
Found malware configuration
Source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: order6566546663.exe Virustotal: Detection: 51% Perma Link
Source: order6566546663.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: order6566546663.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: order6566546663.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: order6566546663.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: order6566546663.exe, 00000000.00000002.2027706449.0000000004F60000.00000004.08000000.00040000.00000000.sdmp, order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 02C8F1F6h 1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 02C8FB80h 1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 1_2_02C8E528
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE1A38h 1_2_06AE1620
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE02F1h 1_2_06AE0040
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEE301h 1_2_06AEE058
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE1471h 1_2_06AE11C0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AECD49h 1_2_06AECAA0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AED1A1h 1_2_06AECEF8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE1A38h 1_2_06AE1617
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEF8B9h 1_2_06AEF610
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEFD11h 1_2_06AEFA68
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEC8F1h 1_2_06AEC648
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEDA51h 1_2_06AED7A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AED5F9h 1_2_06AED350
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE0751h 1_2_06AE04A0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEE759h 1_2_06AEE4B0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEB791h 1_2_06AEB4E8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEDEA9h 1_2_06AEDC00
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEF461h 1_2_06AEF1B8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEC041h 1_2_06AEBD98
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEC499h 1_2_06AEC1F0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEEBB1h 1_2_06AEE908
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE0BB1h 1_2_06AE0900
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE1A38h 1_2_06AE1966
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AE1011h 1_2_06AE0D60
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEF009h 1_2_06AEED60
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06AEBBE9h 1_2_06AEB940
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B18945h 1_2_06B18608
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B16171h 1_2_06B15EC8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_06B136CE
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B158C1h 1_2_06B15618
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B15D19h 1_2_06B15A70
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_06B133B8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_06B133A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B16E79h 1_2_06B16BD0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B165C9h 1_2_06B16320
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B16A21h 1_2_06B16778
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B17751h 1_2_06B174A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B10741h 1_2_06B10498
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B10B99h 1_2_06B108F0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B172FAh 1_2_06B17050
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B102E9h 1_2_06B10040
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B18459h 1_2_06B181B0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B15441h 1_2_06B15198
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B17BA9h 1_2_06B17900
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B18001h 1_2_06B17D58
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 4x nop then jmp 06B10FF1h 1_2_06B10D48

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49764 -> 104.21.16.1:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.order6566546663.exe.4e50000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3853f90.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3853f90.2.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.4e50000.5.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.280f744.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.2811f84.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: order6566546663.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\order6566546663.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 0_2_00E0AE48 0_2_00E0AE48
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8B328 1_2_02C8B328
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8F007 1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8C193 1_2_02C8C193
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C86148 1_2_02C86148
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8C751 1_2_02C8C751
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C86730 1_2_02C86730
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8C470 1_2_02C8C470
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C84AD9 1_2_02C84AD9
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8CA31 1_2_02C8CA31
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8BBD3 1_2_02C8BBD3
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8BEB7 1_2_02C8BEB7
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8CD10 1_2_02C8CD10
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8B4F3 1_2_02C8B4F3
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C83570 1_2_02C83570
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8E528 1_2_02C8E528
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_02C8E523 1_2_02C8E523
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE8460 1_2_06AE8460
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE3870 1_2_06AE3870
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0040 1_2_06AE0040
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE058 1_2_06AEE058
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE7D90 1_2_06AE7D90
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE11C0 1_2_06AE11C0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AECAA0 1_2_06AECAA0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AECA9D 1_2_06AECA9D
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AECEF8 1_2_06AECEF8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AECEF5 1_2_06AECEF5
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEC638 1_2_06AEC638
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEF600 1_2_06AEF600
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEF610 1_2_06AEF610
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEFA68 1_2_06AEFA68
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEC648 1_2_06AEC648
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEFA59 1_2_06AEFA59
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AED7A8 1_2_06AED7A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AED798 1_2_06AED798
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE73E8 1_2_06AE73E8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE73E7 1_2_06AE73E7
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEDBF1 1_2_06AEDBF1
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AED349 1_2_06AED349
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AED350 1_2_06AED350
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE04A0 1_2_06AE04A0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE4A0 1_2_06AEE4A0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE4B0 1_2_06AEE4B0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0490 1_2_06AE0490
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEB4E8 1_2_06AEB4E8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEB4E5 1_2_06AEB4E5
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE08FC 1_2_06AE08FC
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0033 1_2_06AE0033
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEDC00 1_2_06AEDC00
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE386F 1_2_06AE386F
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE049 1_2_06AEE049
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE11BB 1_2_06AE11BB
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEF1B8 1_2_06AEF1B8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEF1B5 1_2_06AEF1B5
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEBD88 1_2_06AEBD88
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEBD98 1_2_06AEBD98
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEC1E0 1_2_06AEC1E0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEC1F0 1_2_06AEC1F0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEB930 1_2_06AEB930
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE908 1_2_06AEE908
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0900 1_2_06AE0900
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEE901 1_2_06AEE901
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0D60 1_2_06AE0D60
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEED60 1_2_06AEED60
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEB940 1_2_06AEB940
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AEED5D 1_2_06AEED5D
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE0D5B 1_2_06AE0D5B
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1B6E8 1_2_06B1B6E8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B18608 1_2_06B18608
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1D670 1_2_06B1D670
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1AA58 1_2_06B1AA58
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1C388 1_2_06B1C388
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B18BF2 1_2_06B18BF2
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1B0A0 1_2_06B1B0A0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1D028 1_2_06B1D028
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1A408 1_2_06B1A408
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B111A0 1_2_06B111A0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1C9D8 1_2_06B1C9D8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1BD38 1_2_06B1BD38
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15EB8 1_2_06B15EB8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1B6E7 1_2_06B1B6E7
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15EC8 1_2_06B15EC8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15615 1_2_06B15615
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15618 1_2_06B15618
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B18602 1_2_06B18602
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15A70 1_2_06B15A70
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15A60 1_2_06B15A60
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1D662 1_2_06B1D662
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1AA4E 1_2_06B1AA4E
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B133B8 1_2_06B133B8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B133A8 1_2_06B133A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1C387 1_2_06B1C387
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1A3FE 1_2_06B1A3FE
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B16BD0 1_2_06B16BD0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B16BC9 1_2_06B16BC9
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B13730 1_2_06B13730
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B16320 1_2_06B16320
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B16319 1_2_06B16319
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B16778 1_2_06B16778
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1676A 1_2_06B1676A
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B128B0 1_2_06B128B0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B174A5 1_2_06B174A5
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B174A8 1_2_06B174A8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B10495 1_2_06B10495
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B10498 1_2_06B10498
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1B09F 1_2_06B1B09F
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B178F0 1_2_06B178F0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B108F0 1_2_06B108F0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B108ED 1_2_06B108ED
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1B6E8 1_2_06B1B6E8
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B14430 1_2_06B14430
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1003D 1_2_06B1003D
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1D027 1_2_06B1D027
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B12807 1_2_06B12807
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B12809 1_2_06B12809
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B17050 1_2_06B17050
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B10040 1_2_06B10040
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B17049 1_2_06B17049
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B181B0 1_2_06B181B0
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B181AD 1_2_06B181AD
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B11191 1_2_06B11191
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B15198 1_2_06B15198
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1518E 1_2_06B1518E
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1C9D7 1_2_06B1C9D7
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B1BD37 1_2_06B1BD37
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B10D39 1_2_06B10D39
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B17900 1_2_06B17900
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B17D51 1_2_06B17D51
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B17D58 1_2_06B17D58
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06B10D48 1_2_06B10D48
Sample file is different than original file name gathered from version info
Source: order6566546663.exe, 00000000.00000002.2027706449.0000000004F60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027017019.0000000003805000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000000.2021846884.0000000000422000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2024514112.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000001.00000002.4499926157.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs order6566546663.exe
Source: order6566546663.exe Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs order6566546663.exe
Uses 32bit PE files
Source: order6566546663.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.order6566546663.exe.4e50000.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3853f90.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3853f90.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.4e50000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.280f744.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.2811f84.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
Source: C:\Users\user\Desktop\order6566546663.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order6566546663.exe.log Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Mutant created: NULL
Source: order6566546663.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: order6566546663.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\order6566546663.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000003083000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4501829243.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000003091000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000003073000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: order6566546663.exe Virustotal: Detection: 51%
Source: order6566546663.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"
Source: C:\Users\user\Desktop\order6566546663.exe Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"
Source: C:\Users\user\Desktop\order6566546663.exe Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe" Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: order6566546663.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: order6566546663.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: order6566546663.exe, 00000000.00000002.2027706449.0000000004F60000.00000004.08000000.00040000.00000000.sdmp, order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: order6566546663.exe Static PE information: 0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE2E78 push esp; iretd 1_2_06AE2E79
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE6F8B push es; ret 1_2_06AE6FE4
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE6F13 push es; ret 1_2_06AE6FE4
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE7059 push es; iretd 1_2_06AE705C
Source: order6566546663.exe Static PE information: section name: .text entropy: 7.212572916537044
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\order6566546663.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: 2800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: 4800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: 2E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: 4E40000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598464 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597919 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597638 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597530 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597347 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597214 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596983 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596435 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595561 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595337 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594892 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594766 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594513 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594288 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\order6566546663.exe Window / User API: threadDelayed 8220 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Window / User API: threadDelayed 1632 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\order6566546663.exe TID: 1968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 5168 Thread sleep count: 8220 > 30 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 5168 Thread sleep count: 1632 > 30 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598464s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597919s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597638s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597530s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597347s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597214s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596983s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596435s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595337s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594892s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594513s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196 Thread sleep time: -594288s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598464 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597919 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597638 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597530 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597347 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597214 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596983 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596435 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595561 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595337 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594892 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594766 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594513 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Thread delayed: delay time: 594288 Jump to behavior
Source: order6566546663.exe, 00000001.00000002.4500046974.000000000113A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: C:\Users\user\Desktop\order6566546663.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\order6566546663.exe Code function: 1_2_06AE7D90 LdrInitializeThunk, 1_2_06AE7D90
Enables debug privileges
Source: C:\Users\user\Desktop\order6566546663.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\order6566546663.exe Memory written: C:\Users\user\Desktop\order6566546663.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\order6566546663.exe Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Users\user\Desktop\order6566546663.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Users\user\Desktop\order6566546663.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\order6566546663.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\order6566546663.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.48.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
104.21.16.1
 unknown United States
13335 CLOUDFLARENETUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.48.1 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.189 false
      		high