File name:

f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7

Full analysis: https://app.any.run/tasks/93d62009-1cfd-48e9-8ccc-8e2c825e4b0a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: January 10, 2025, 21:03:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
telegram
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D721EAB396039744DF30C1C4AC89386E

SHA1:

DB06BCB42971088989F20C795E484611B37B35B0

SHA256:

F800B332A02989CB73F92D0B58F9658F7F5389BE1A966670C507CCBD32C31CE7

SSDEEP:

49152:3HlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZ+:MAGQX21RBt7QjTmcaTH/vU4do9Pcjq1f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Create files in the Startup directory

      • toggeries.exe (PID: 4528)
    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 3224)
    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 3224)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 3224)
    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 3224)
  • SUSPICIOUS

    • Starts itself from another location

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
    • Executable content was dropped or overwritten

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
    • Checks for external IP

      • svchost.exe (PID: 2192)
      • RegSvcs.exe (PID: 3224)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegSvcs.exe (PID: 3224)
    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 3224)
  • INFO

    • The sample compiled with english language support

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
    • Create files in a temporary directory

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
      • toggeries.exe (PID: 4528)
    • Checks supported languages

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
      • toggeries.exe (PID: 4528)
      • RegSvcs.exe (PID: 3224)
    • Reads the machine GUID from the registry

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
      • RegSvcs.exe (PID: 3224)
    • Reads mouse settings

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
      • toggeries.exe (PID: 4528)
    • Creates files or folders in the user directory

      • f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe (PID: 2168)
      • toggeries.exe (PID: 4528)
    • Checks proxy server information

      • RegSvcs.exe (PID: 3224)
    • Reads the computer name

      • RegSvcs.exe (PID: 3224)
    • Disables trace logs

      • RegSvcs.exe (PID: 3224)
    • Reads the software policy settings

      • RegSvcs.exe (PID: 3224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(3224) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Password7213575aceACE@@
SMTP Hostmail.wxtp.store
SMTP Port587
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 451584
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:08 23:10:21+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe toggeries.exe #SNAKE regsvcs.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Users\admin\AppData\Local\Temp\f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe" C:\Users\admin\AppData\Local\Temp\f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
4528"C:\Users\admin\AppData\Local\Temp\f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe" C:\Users\admin\AppData\Local\Thebesian\toggeries.exe
f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\thebesian\toggeries.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3224"C:\Users\admin\AppData\Local\Temp\f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
toggeries.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(3224) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Password7213575aceACE@@
SMTP Hostmail.wxtp.store
SMTP Port587
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 342
Read events
1 328
Write events
14
Delete events
0

Modification events

(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3224) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2168f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exeC:\Users\admin\AppData\Local\Temp\aut6555.tmpbinary
MD5:85F79BF6C6F6C04600110CE3F25DC877
SHA256:36DB44B1D2612B411465ED21A00B80CA791B76BF67DD0443186227D00B01D70C
4528toggeries.exeC:\Users\admin\AppData\Local\Temp\aut72F1.tmpbinary
MD5:85F79BF6C6F6C04600110CE3F25DC877
SHA256:36DB44B1D2612B411465ED21A00B80CA791B76BF67DD0443186227D00B01D70C
2168f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exeC:\Users\admin\AppData\Local\Temp\molecastbinary
MD5:DD27F42376CB50AA257B4E8884D1BC54
SHA256:DBCFBCC5F610189F9A4F724DF7DC942FB6F6CE773C54C108F0AC175EC4D8D88B
2168f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exeC:\Users\admin\AppData\Local\Thebesian\toggeries.exeexecutable
MD5:D721EAB396039744DF30C1C4AC89386E
SHA256:F800B332A02989CB73F92D0B58F9658F7F5389BE1A966670C507CCBD32C31CE7
4528toggeries.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbsbinary
MD5:E760C43EFE8D8A5832335E9E0CDCBEEB
SHA256:1BBF8F8BF4ED4AAF2DCC625C4F2DFE586B7157C8E4A5C09EBBF3A7F9E2EBAB63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
35
DNS requests
19
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
3224
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3224
RegSvcs.exe
193.122.130.0:80
checkip.dyndns.org
ORACLE-BMC-31898
US
shared
3224
RegSvcs.exe
104.21.96.1:443
reallyfreegeoip.org
CLOUDFLARENET
malicious
876
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
checkip.dyndns.org
  • 193.122.130.0
  • 132.226.8.169
  • 158.101.44.242
  • 132.226.247.73
  • 193.122.6.168
shared
reallyfreegeoip.org
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.80.1
malicious
api.telegram.org
  • 149.154.167.220
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info