Malware analysis 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe Malicious activity

Add for printing

File name:	9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe
Full analysis:	https://app.any.run/tasks/5ecb325f-f905-4be5-bf4c-fc6c944f7886
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Malware Trends Tracker >>>
Analysis date:	March 11, 2024, 14:45:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion snake keylogger
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	82F04C1F7A8C661BCF5C6F5BC1E2AF62
SHA1:	97262435EF45E71B3ECDDBE35937A979B5DB91C2
SHA256:	9CFE2E7562A6C497CF42AC68AF0A8104591E108131C2AE10EAF2BE2FD3D66B05
SSDEEP:	3072:HRdCdr176JWjx4O0qgXJJH8PsiLc5qTFUao05+cEDj8c6mN3ONU0IXuYJlI/6:x0ocFUh05VE/t0N9IXu7/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.66)
Microsoft Edge Update (1.3.185.21)
Microsoft Edge WebView2 Runtime (122.0.2365.66)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
- Changes the autorun value in the registry
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
- Actions looks like stealing of personal data
  - MSBuild.exe (PID: 4968)
- Scans artifacts that could help determine the target
  - MSBuild.exe (PID: 4968)
- Steals credentials from Web Browsers
  - MSBuild.exe (PID: 4968)
- SNAKE has been detected (YARA)
  - MSBuild.exe (PID: 4968)
- SNAKEKEYLOGGER has been detected (SURICATA)
  - MSBuild.exe (PID: 4968)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
- Loads DLL from Mozilla Firefox
  - MSBuild.exe (PID: 4968)
- Checks for external IP
  - MSBuild.exe (PID: 4968)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - MSBuild.exe (PID: 4968)
INFO
- Reads the machine GUID from the registry
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - MSBuild.exe (PID: 4968)
- Reads the computer name
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - MSBuild.exe (PID: 4968)
- Checks proxy server information
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - BackgroundTransferHost.exe (PID: 6844)
  - MSBuild.exe (PID: 4968)
  - slui.exe (PID: 4076)
- Checks supported languages
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - MSBuild.exe (PID: 4968)
- Reads the software policy settings
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - BackgroundTransferHost.exe (PID: 6844)
  - MSBuild.exe (PID: 4968)
  - slui.exe (PID: 4076)
- Reads Environment values
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
  - MSBuild.exe (PID: 4968)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 4796)
  - BackgroundTransferHost.exe (PID: 2768)
  - BackgroundTransferHost.exe (PID: 6844)
  - BackgroundTransferHost.exe (PID: 2432)
  - BackgroundTransferHost.exe (PID: 6600)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 6844)
  - 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe (PID: 4480)
- Reads Microsoft Office registry keys
  - MSBuild.exe (PID: 4968)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

SnakeKeylogger

(PID) Process(4968) MSBuild.exe

Keys

DES6fc98cd6

Options

Telegram Bot Token6291795537:AAEMBnTzrVQuxAduZ-X6E2opYJoPQJoG5tY

Telegram Chat ID5262627523

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:03:11 07:11:52+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware
PEType:	PE32+
LinkerVersion:	6
CodeSize:	285184
InitializedDataSize:	18432
UninitializedDataSize:	-
EntryPoint:	0x478ca
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	9.0.0.6
ProductVersionNumber:	9.0.0.6
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Sky Email Extractor
CompanyName:	Sky Email Extractor
FileDescription:	Sky Email Extractor
FileVersion:	9.0.0.6
InternalName:	Mquqdysqqv.exe
LegalCopyright:	www.skyextractor.com All rights reserved.
LegalTrademarks:	-
OriginalFileName:	Mquqdysqqv.exe
ProductName:	Sky Email Extractor
ProductVersion:	9.0.0.6
AssemblyVersion:	9.0.0.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2432

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

2768

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

4076

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

4480

"C:\Users\admin\AppData\Local\Temp\9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe"

C:\Users\admin\AppData\Local\Temp\9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe

explorer.exe

User:

admin

Company:

Sky Email Extractor

Integrity Level:

MEDIUM

Description:

Sky Email Extractor

Exit code:

Version:

9.0.0.6

Modules

Images
c:\users\admin\appdata\local\temp\9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4796

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

4968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

MSBuild.exe

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

SnakeKeylogger

(PID) Process(4968) MSBuild.exe

Keys

DES6fc98cd6

Options

Telegram Bot Token6291795537:AAEMBnTzrVQuxAduZ-X6E2opYJoPQJoG5tY

Telegram Chat ID5262627523

6600

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

6844

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

5 765

Read events

5 721

Write events

Delete events

Modification events


(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4480) 9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\91bcdb74-ca68-468f-b69c-8bb44e6a97e4.down_data		—
		MD5:—	SHA256:—
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\91bcdb74-ca68-468f-b69c-8bb44e6a97e4.4020621f-14c1-42b6-b3ca-b1481830706b.down_meta		binary
		MD5:8ABC4ABA0F2C51002C92F4860829124B	SHA256:18FC9538E22C942A2D1B332346DF187E3002C9FDAA748EA6D20DF58D69EF1701
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A		der
		MD5:5D8F7B1C393FF00DE21F682F78942993	SHA256:FC8EF68E41508D55F9272B96BC7D075B05A35800A8781E1AF1D6D82171B103C1
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0b39e40d-572f-4e98-9f37-5ddaac966f80.up_meta_secure		binary
		MD5:64B57E49202194E7A4DBFFE8772CBEA6	SHA256:62BC02015693C9D7C27CA60E90E77FB16667011A82AB98C6AC9CB6D1F239278A
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0b39e40d-572f-4e98-9f37-5ddaac966f80.4020621f-14c1-42b6-b3ca-b1481830706b.down_meta		binary
		MD5:8ABC4ABA0F2C51002C92F4860829124B	SHA256:18FC9538E22C942A2D1B332346DF187E3002C9FDAA748EA6D20DF58D69EF1701
4480	9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe.log		text
		MD5:B56C0F3F73343AD651A98401F3E98660	SHA256:48C98EB0538514683CC4941E0E0B99D9B5A222AD7CCCD3BC11AD5B0F64539D05
6844	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A		binary
		MD5:9E732A7F6E18FAABA439E0A6C143D6E6	SHA256:BB7A1A7C497587A9ED710A2159EAFB2BDBCDE10C62D0A3B7C48C5A87431D48B0
4480	9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	C:\Users\admin\AppData\Roaming\aaaaaaaaaaaa.exe		executable
		MD5:82F04C1F7A8C661BCF5C6F5BC1E2AF62	SHA256:9CFE2E7562A6C497CF42AC68AF0A8104591E108131C2AE10EAF2BE2FD3D66B05

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6844	BackgroundTransferHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	314 b	unknown
4968	MSBuild.exe	GET	200	193.122.130.0:80	http://checkip.dyndns.org/	unknown	html	105 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4828	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4480	9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	162.159.130.233:443	cdn.discordapp.com	CLOUDFLARENET	—	shared
1280	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2568	svchost.exe	40.126.32.138:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2568	svchost.exe	40.126.32.68:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
1280	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7064	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4188	backgroundTaskHost.exe	20.103.156.88:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
1528	backgroundTaskHost.exe	95.100.98.107:443	www.bing.com	Akamai International B.V.	IE	unknown
6844	BackgroundTransferHost.exe	95.100.98.107:443	www.bing.com	Akamai International B.V.	IE	unknown

DNS requests

Domain	IP	Reputation
cdn.discordapp.com	162.159.130.233 162.159.134.233 162.159.133.233 162.159.129.233 162.159.135.233	shared
settings-win.data.microsoft.com	4.231.128.59	whitelisted
arc.msn.com	20.103.156.88	whitelisted
www.bing.com	95.100.98.107 95.100.98.121 95.100.98.123 95.100.98.81 95.100.98.122 95.100.98.88 95.100.98.105 95.100.98.97 95.100.98.120	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
checkip.dyndns.org	193.122.130.0 132.226.247.73 132.226.8.169 193.122.6.168 158.101.44.242	shared
api.telegram.org	149.154.167.220	shared
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

PID	Process	Class	Message
2160	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4480	9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2160	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2160	svchost.exe	Misc activity	AV INFO Query to checkip.dyndns. Domain
4968	MSBuild.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
4968	MSBuild.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2160	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
4968	MSBuild.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4968	MSBuild.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

9cfe2e7562a6c497cf42ac68af0a8104591e108131c2ae10eaf2be2fd3d66b05.exe

82F04C1F7A8C661BCF5C6F5BC1E2AF62

97262435EF45E71B3ECDDBE35937A979B5DB91C2

9CFE2E7562A6C497CF42AC68AF0A8104591E108131C2AE10EAF2BE2FD3D66B05

3072:HRdCdr176JWjx4O0qgXJJH8PsiLc5qTFUao05+cEDj8c6mN3ONU0IXuYJlI/6:x0ocFUh05VE/t0N9IXu7/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Actions looks like stealing of personal data

Scans artifacts that could help determine the target

Steals credentials from Web Browsers

SNAKE has been detected (YARA)

SNAKEKEYLOGGER has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Loads DLL from Mozilla Firefox

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Checks supported languages

Reads the software policy settings

Reads Environment values

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Malware configuration

SnakeKeylogger

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

SnakeKeylogger

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings