File name: | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046 |
Full analysis: | https://app.any.run/tasks/50ab8e87-9547-4863-a60d-54b7908a830d |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | December 05, 2022, 17:30:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 3D8665C57C2A13C97F44D86D0D783A76 |
SHA1: | B75CB478899374CF529DA3A7B8DEBCA552E3721E |
SHA256: | 2758782D2F4BF1101CFBC91D0E9EB266A928EBA933FCE802B6412912CF792391 |
SSDEEP: | 24576:YyeineevnvnF6FBlKqw+ULWAhZnVWk6PFv+Z9CLtdfDPm:Q6ewF6FkTzGFFCgLtF+ |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (55.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (21) |
.scr | | | Windows screen saver (9.9) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2048-Mar-30 06:14:20 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | Microsoft |
FileDescription: | Traffic Light |
FileVersion: | 1.0.0.0 |
InternalName: | LcG8nIX.exe |
LegalCopyright: | Copyright © 2021 |
LegalTrademarks: | - |
OriginalFilename: | LcG8nIX.exe |
ProductName: | Traffic Light |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2048-Mar-30 06:14:20 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 1095284 | 1095680 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.34436 |
.rsrc | 1105920 | 1472 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.14481 |
.reloc | 1114112 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.32999 | 820 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2212 | "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Traffic Light Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2484 | "{path}" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | — | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Traffic Light Exit code: 4294967295 Version: 1.0.0.0 Modules
| |||||||||||||||
2624 | "{path}" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Traffic Light Version: 1.0.0.0 Modules
SnakeKeylogger(PID) Process(2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe Credentials PasswordqlRYaFn8 Username[email protected] Port587 Hostus2.smtp.mailhostbox.com ProtocolSMTP |
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (2624) SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2624 | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | GET | 200 | 193.122.6.168:80 | http://checkip.dyndns.org/ | US | html | 105 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2624 | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | 208.91.199.224:587 | us2.smtp.mailhostbox.com | UNIFIEDLAYER-AS-1 | US | shared |
2624 | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | 193.122.6.168:80 | checkip.dyndns.org | ORACLE-BMC-31898 | DE | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.dyndns.org |
| shared |
us2.smtp.mailhostbox.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
— | — | Misc activity | AV INFO Query to checkip.dyndns. Domain |
2624 | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
2624 | SecuriteInfo.com.Win32.HacktoolX-gen.30740.31046.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |