File name:

4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe

Full analysis: https://app.any.run/tasks/b544ee4d-d504-4121-abbb-c8a6057d7971
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: September 18, 2024, 09:07:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
telegram
smtp
exfiltration
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

A24A997779B9308C94FB1D4C29E3458C

SHA1:

31162589BADBD879CA93529F48006D389A6E1382

SHA256:

4B575FF878D4EB2050F438B07AECDB8A9CF163C2649233B9884F59F2162DF709

SSDEEP:

24576:pq/lCfXfp/zTALozLvtsIEvD4xSgzfIt2YfEHbe6hfN/mTLr0ZrBzCyo/fGPgy4e:2lCfXfp/zTALozLvtsIEvD4xSgzfIt2l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SNAKE has been detected (YARA)

      • aspnet_compiler.exe (PID: 6988)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • aspnet_compiler.exe (PID: 6988)

    • Attempt to transmit an email message via SMTP

      • aspnet_compiler.exe (PID: 6988)

    • Stealers network behavior

      • aspnet_compiler.exe (PID: 6988)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • aspnet_compiler.exe (PID: 6988)

    • Connects to SMTP port

      • aspnet_compiler.exe (PID: 6988)

    • The process connected to a server suspected of theft

      • aspnet_compiler.exe (PID: 6988)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • aspnet_compiler.exe (PID: 6988)

  • INFO

    • Attempting to use instant messaging service

      • aspnet_compiler.exe (PID: 6988)
      • svchost.exe (PID: 2256)

    • Attempt to transmit an email message via SMTP

      • aspnet_compiler.exe (PID: 6988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(6988) aspnet_compiler.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Userzam8@qlststv.com
SMTP PasswordTZmaka!@Y66#W{L!IoB5..
SMTP Hostgator3220.hostgator.com
SMTP SendTocloseit@aoqiinflatables.com
SMTP Port587
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:16 04:48:12+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 6
CodeSize: 190976
InitializedDataSize: 372224
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.50
ProductVersionNumber: 4.0.0.50
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: AhnLab V3 Lite Expansion UI
CompanyName: AhnLab, Inc.
FileDescription: AhnLab V3 Lite Expansion UI
FileVersion: 4.0.0.50
InternalName: Tgvfevcucdo.exe
LegalCopyright: © 2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks: -
OriginalFileName: Tgvfevcucdo.exe
ProductName: AhnLab V3 Lite
ProductVersion: 4.0.0.50
AssemblyVersion: 4.0.0.50
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe svchost.exe #SNAKE aspnet_compiler.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeaspnet_compiler.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240"C:\Users\admin\Desktop\4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe" C:\Users\admin\Desktop\4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
explorer.exe
User:
admin
Company:
AhnLab, Inc.
Integrity Level:
MEDIUM
Description:
AhnLab V3 Lite Expansion UI
Exit code:
4294967295
Version:
4.0.0.50
Modules
Images
c:\users\admin\desktop\4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6988"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
SnakeKeylogger
(PID) Process(6988) aspnet_compiler.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Userzam8@qlststv.com
SMTP PasswordTZmaka!@Y66#W{L!IoB5..
SMTP Hostgator3220.hostgator.com
SMTP SendTocloseit@aoqiinflatables.com
SMTP Port587
Total events
8 365
Read events
8 337
Write events
28
Delete events
0

Modification events

(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5240) 4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
26
DNS requests
9
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5240
4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
GET
301
188.114.97.3:80
http://filetransfer.io/data-package/G1NY5FRK/download
unknown
whitelisted
2456
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6820
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
6988
aspnet_compiler.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2456
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6820
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
5240
4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
188.114.97.3:80
filetransfer.io
CLOUDFLARENET
NL
malicious
2456
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6820
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5240
4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
188.114.97.3:443
filetransfer.io
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
filetransfer.io
  • 188.114.97.3
  • 188.114.96.3
unknown
www.microsoft.com
  • 23.35.229.160
whitelisted
s22.filetransfer.io
  • 188.114.96.3
  • 188.114.97.3
unknown
checkip.dyndns.org
  • 193.122.6.168
  • 158.101.44.242
  • 132.226.8.169
  • 193.122.130.0
  • 132.226.247.73
shared
reallyfreegeoip.org
  • 188.114.97.3
  • 188.114.96.3
malicious
api.telegram.org
  • 149.154.167.220
shared
gator3220.hostgator.com
  • 198.57.247.184
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)
5240
4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6988
aspnet_compiler.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
6988
aspnet_compiler.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
6988
aspnet_compiler.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2256
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
6988
aspnet_compiler.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
6988
aspnet_compiler.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
6988
aspnet_compiler.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4b575ff878d4eb2050f438b07aecdb8a9cf163c2649233b9884f59f2162df709.exe