Malware analysis rdBcCI1XLaU8n5j.exe Malicious activity

Add for printing

File name:	rdBcCI1XLaU8n5j.exe
Full analysis:	https://app.any.run/tasks/8340a170-7884-4418-83b6-24f3666e2314
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 01, 2023, 09:46:49
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	snake keylogger trojan evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	68D278C763AEA273E18659C6DF7F2369
SHA1:	33D8C26B9D27D28C252DC2EBBB17374BA5F50315
SHA256:	AC65DA67127BA5DC096C2D9CA9E218C9CA54BF7F81C99603C1BE34A32A5A6FA5
SSDEEP:	12288:txtqHKYCPFE+COxQrD7+mA2KcFvPrgyO8tsyvUXEJ0imOMt+:txtqHKYj0s77A9mryasyvT0imX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Uses Task Scheduler to run other applications
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- SNAKEKEYLOGGER was detected
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- SNAKE detected by memory dumps
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Steals credentials from Web Browsers
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Actions looks like stealing of personal data
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
SUSPICIOUS
- Reads the Internet Settings
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Application launched itself
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Executable content was dropped or overwritten
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Checks for external IP
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Connects to unusual port
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Accesses Microsoft Outlook profiles
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
INFO
- Checks supported languages
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Reads the computer name
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Reads the machine GUID from the registry
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- The process checks LSA protection
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Reads Environment values
  - rdBcCI1XLaU8n5j.exe (PID: 2192)
- Create files in a temporary directory
  - rdBcCI1XLaU8n5j.exe (PID: 1892)
- Creates files or folders in the user directory
  - rdBcCI1XLaU8n5j.exe (PID: 1892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

SnakeKeylogger

(PID) Process(2192) rdBcCI1XLaU8n5j.exe

Keys

DES6fc98cd6

Options

SMTP User[email protected]

SMTP PasswordPI#6XIKeoUkC

SMTP Hostvalleycountysar.org

SMTP SendTo[email protected]

SMTP Port26

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:03:31 02:38:08+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	678912
InitializedDataSize:	5632
UninitializedDataSize:	-
EntryPoint:	0xa7ba2
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Lifeguard
CompanyName:	-
FileDescription:	Bearing Machine
FileVersion:	1.0.0.0
InternalName:	gZkJ.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	gZkJ.exe
ProductName:	Bearing Machine
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	31-Mar-2023 02:38:08
Comments:	Lifeguard
CompanyName:	-
FileDescription:	Bearing Machine
FileVersion:	1.0.0.0
InternalName:	gZkJ.exe
LegalCopyright:	-
LegalTrademarks:	-
OriginalFilename:	gZkJ.exe
ProductName:	Bearing Machine
ProductVersion:	1.0.0.0
Assembly Version:	1.0.0.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	31-Mar-2023 02:38:08
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00002000	0x000A5BF8	0x000A5C00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.47252
.rsrc	0x000A8000	0x000012B0	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.61804
.reloc	0x000AA000	0x0000000C	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.10191

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST
32512	1.51664	20	UNKNOWN	UNKNOWN	RT_GROUP_ICON

Imports


mscoree.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1892

"C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe"

C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Bearing Machine

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rdbcci1xlau8n5j.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\advapi32.dll

1260

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mVnvbKFkPE" /XML "C:\Users\admin\AppData\Local\Temp\tmp9F7D.tmp"

C:\Windows\SysWOW64\schtasks.exe

—

rdBcCI1XLaU8n5j.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\schtasks.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2172

"C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe"

C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe

—

rdBcCI1XLaU8n5j.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Bearing Machine

Exit code:

4294967295

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rdbcci1xlau8n5j.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2192

"C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe"

C:\Users\admin\AppData\Local\Temp\rdBcCI1XLaU8n5j.exe

rdBcCI1XLaU8n5j.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Bearing Machine

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rdbcci1xlau8n5j.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

SnakeKeylogger

(PID) Process(2192) rdBcCI1XLaU8n5j.exe

Keys

DES6fc98cd6

Options

SMTP User[email protected]

SMTP PasswordPI#6XIKeoUkC

SMTP Hostvalleycountysar.org

SMTP SendTo[email protected]

SMTP Port26

Add for printing

Total events

1 482

Read events

1 466

Write events

Delete events

Modification events


(PID) Process:	(1892) rdBcCI1XLaU8n5j.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1892) rdBcCI1XLaU8n5j.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1892) rdBcCI1XLaU8n5j.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1892) rdBcCI1XLaU8n5j.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1892	rdBcCI1XLaU8n5j.exe	C:\Users\admin\AppData\Roaming\mVnvbKFkPE.exe		executable
		MD5:68D278C763AEA273E18659C6DF7F2369	SHA256:AC65DA67127BA5DC096C2D9CA9E218C9CA54BF7F81C99603C1BE34A32A5A6FA5
1892	rdBcCI1XLaU8n5j.exe	C:\Users\admin\AppData\Local\Temp\tmp9F7D.tmp		xml
		MD5:AF8F27D8F47ACACB51A966E871468779	SHA256:EDE97C7D3A182CC561D8D84C02B6CDE9FDD4573D7A696F9939986F0FBF114E8B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2192	rdBcCI1XLaU8n5j.exe	GET	200	193.122.6.168:80	http://checkip.dyndns.org/	US	html	104 b	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2192	rdBcCI1XLaU8n5j.exe	193.122.6.168:80	checkip.dyndns.org	ORACLE-BMC-31898	DE	malicious
2192	rdBcCI1XLaU8n5j.exe	192.185.5.77:26	valleycountysar.org	UNIFIEDLAYER-AS-1	US	malicious

DNS requests

Domain	IP	Reputation
checkip.dyndns.org	193.122.6.168 158.101.44.242 132.226.8.169 193.122.130.0 132.226.247.73	shared
valleycountysar.org	192.185.5.77	malicious

Threats

PID	Process	Class	Message
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Misc activity	AV INFO Query to checkip.dyndns. Domain
2192	rdBcCI1XLaU8n5j.exe	A Network Trojan was detected	ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
2192	rdBcCI1XLaU8n5j.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
2192	rdBcCI1XLaU8n5j.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2192	rdBcCI1XLaU8n5j.exe	A Network Trojan was detected	ET MALWARE Snake Keylogger Exfil via SMTP

Add for printing

No debug info

General Info

rdBcCI1XLaU8n5j.exe

68D278C763AEA273E18659C6DF7F2369

33D8C26B9D27D28C252DC2EBBB17374BA5F50315

AC65DA67127BA5DC096C2D9CA9E218C9CA54BF7F81C99603C1BE34A32A5A6FA5

12288:txtqHKYCPFE+COxQrD7+mA2KcFvPrgyO8tsyvUXEJ0imOMt+:txtqHKYj0s77A9mryasyvT0imX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

SNAKEKEYLOGGER was detected

SNAKE detected by memory dumps

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads the Internet Settings

Application launched itself

Executable content was dropped or overwritten

Checks for external IP

Connects to unusual port

Accesses Microsoft Outlook profiles

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

The process checks LSA protection

Reads Environment values

Create files in a temporary directory

Creates files or folders in the user directory

Malware configuration

SnakeKeylogger

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

SnakeKeylogger

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings