File name:

fatura.rar

Full analysis: https://app.any.run/tasks/0d921a5d-ddca-405b-8da4-92e93143667a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: November 08, 2024, 15:33:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
telegram
ims-api
generic
netreactor
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

7494E23A94139B2E7A8AB11BB7DDACBC

SHA1:

DDFCFCE8204D9ED081A0DDF7E851073A6CEDD488

SHA256:

9631C9C5E462AD39703479DEE4F39D44409DA1B67E7D792470027A0901623526

SSDEEP:

49152:NE3iKhRTl6/RQ5Px7kX7l2EbkIaDl98HnRb4x3VSISNNiMFjYfqLD49IkMdCniEF:mSKhRTA/62l7Anl9onRwyNiM5LlkkkiY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6668)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 5736)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 5736)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fatura.exe (PID: 5196)

    • Application launched itself

      • murkest.exe (PID: 1768)

    • Starts itself from another location

      • fatura.exe (PID: 5196)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • RegSvcs.exe (PID: 5736)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegSvcs.exe (PID: 5736)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegSvcs.exe (PID: 5736)

  • INFO

    • Manual execution by a user

      • fatura.exe (PID: 5196)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2172)
      • RegSvcs.exe (PID: 5736)

    • .NET Reactor protector has been detected

      • RegSvcs.exe (PID: 5736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(5736) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Telegram Chat ID6783205225

ims-api

(PID) Process(5736) RegSvcs.exe
Telegram-Tokens (1)6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Telegram-Info-Links
6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Get info about bothttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getMe
Get incoming updateshttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getUpdates
Get webhookhttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
End-PointsendDocument
Args
chat_id (1)6783205225
caption (1)Pc Name: admin | / VIP Recovery \ PW | admin | VIP Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd000acdbac744 Host: api.telegram.org Content-Length: 572 Connection: Keep-Alive
Telegram-Responses
oktrue
result
message_id20610
from
id6820629737
is_bottrue
first_nameJay_manbot
usernameRussian_tigerbot
chat
id6783205225
first_nameUnit🍅
usernameUnit231
typeprivate
date1731080056
document
file_namePW_Recovered.txt
mime_typetext/plain
file_idBQACAgQAAxkDAAJQgmcuL3i73vQWjEvZihxklF5O5a0PAAIyFwAC8gFxUawNwmaAzEWKNgQ
file_unique_idAgADMhcAAvIBcVE
file_size355
captionPc Name: admin | / VIP Recovery \ PW | admin | VIP Recovery
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 927424
UncompressedSize: 951296
OperatingSystem: Win32
ModifyDate: 2024:11:06 15:08:12
PackingMethod: Normal
ArchivedFileName: fatura.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs fatura.exe murkest.exe no specs regsvcs.exe no specs murkest.exe no specs #SNAKEKEYLOGGER regsvcs.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
696"C:\Users\admin\Desktop\fatura.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exemurkest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1768"C:\Users\admin\Desktop\fatura.exe" C:\Users\admin\AppData\Local\Keily\murkest.exefatura.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\keily\murkest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5196"C:\Users\admin\Desktop\fatura.exe" C:\Users\admin\Desktop\fatura.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\fatura.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5736"C:\Users\admin\AppData\Local\Keily\murkest.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
murkest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
SnakeKeylogger
(PID) Process(5736) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Telegram Chat ID6783205225
ims-api
(PID) Process(5736) RegSvcs.exe
Telegram-Tokens (1)6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Telegram-Info-Links
6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
Get info about bothttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getMe
Get incoming updateshttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getUpdates
Get webhookhttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc
End-PointsendDocument
Args
chat_id (1)6783205225
caption (1)Pc Name: admin | / VIP Recovery \ PW | admin | VIP Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd000acdbac744 Host: api.telegram.org Content-Length: 572 Connection: Keep-Alive
Telegram-Responses
oktrue
result
message_id20610
from
id6820629737
is_bottrue
first_nameJay_manbot
usernameRussian_tigerbot
chat
id6783205225
first_nameUnit🍅
usernameUnit231
typeprivate
date1731080056
document
file_namePW_Recovered.txt
mime_typetext/plain
file_idBQACAgQAAxkDAAJQgmcuL3i73vQWjEvZihxklF5O5a0PAAIyFwAC8gFxUawNwmaAzEWKNgQ
file_unique_idAgADMhcAAvIBcVE
file_size355
captionPc Name: admin | / VIP Recovery \ PW | admin | VIP Recovery
6668"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\fatura.rarC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6768"C:\Users\admin\AppData\Local\Keily\murkest.exe"C:\Users\admin\AppData\Local\Keily\murkest.exemurkest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\keily\murkest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
6 921
Read events
6 884
Write events
37
Delete events
0

Modification events

(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\fatura.rar
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5736) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5736) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5736) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5736) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5196fatura.exeC:\Users\admin\AppData\Local\Keily\murkest.exeexecutable
MD5:49E9E776C6F5D00A090ADBD8814FFDC7
SHA256:EF25DD02F39549F22A2272768115E7704CE4FD20E305B7AA16F9906B6688E903
1768murkest.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\murkest.vbsbinary
MD5:89A876AA18A77FC04372CC137DC94DF1
SHA256:C4444C686BA00B15A64556E00125F8F9332A2B42F89F6F8B4CF3A6B41C011528
5196fatura.exeC:\Users\admin\AppData\Local\Temp\Ramadabinary
MD5:F6825C10CCD485C6F4450B6099362CED
SHA256:1880F1E63CB2C4BDA5B3CD72369213209EB4E95FF473B1B6B78788109C85570C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
39
DNS requests
21
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5736
RegSvcs.exe
GET
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
5488
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5736
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
5736
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
5736
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
5736
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
5736
RegSvcs.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7032
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
816
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 104.126.37.152
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.144
  • 104.126.37.131
  • 104.126.37.137
  • 104.126.37.146
  • 104.126.37.154
  • 104.126.37.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.74
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 132.226.247.73
  • 193.122.6.168
  • 193.122.130.0
  • 158.101.44.242
shared
th.bing.com
  • 104.126.37.176
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.171
  • 104.126.37.162
  • 104.126.37.184
  • 104.126.37.177
  • 104.126.37.179
whitelisted
reallyfreegeoip.org
  • 188.114.97.3
  • 188.114.96.3
malicious
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2172
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
5736
RegSvcs.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
5736
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fatura.rar