File name:

fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe

Full analysis: https://app.any.run/tasks/752d6006-a813-4a48-ab7d-86879a2ac682
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: February 27, 2024, 12:20:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
snake
keylogger
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

744CEF044B2B3DEEE682EAF5700C4246

SHA1:

A00D9D307CB28CC92F5B2F010578DC5A10D3F812

SHA256:

FC00BF8337B313D331CC6FA9BE8FAFF6FC1FA60B5F34CD34604614B52E637FD9

SSDEEP:

98304:Lu8TN63rUxb0fQQL7QTMh6/nUpS21qXPUjQ8QqpJCmm42p:q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)

    • Drops the executable file immediately after the start

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)

    • Scans artifacts that could help determine the target

      • MSBuild.exe (PID: 6688)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • MSBuild.exe (PID: 6688)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 6688)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 6688)

    • SNAKE has been detected (YARA)

      • MSBuild.exe (PID: 6688)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)

    • Checks for external IP

      • MSBuild.exe (PID: 6688)

    • Loads DLL from Mozilla Firefox

      • MSBuild.exe (PID: 6688)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 6688)

  • INFO

    • Reads the computer name

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)

    • Checks supported languages

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)

    • Checks proxy server information

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)
      • slui.exe (PID: 5048)

    • Reads Environment values

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)

    • Reads the software policy settings

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)
      • slui.exe (PID: 5048)

    • Reads the machine GUID from the registry

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)
      • MSBuild.exe (PID: 6688)

    • Creates files or folders in the user directory

      • fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe (PID: 4040)

    • Reads Microsoft Office registry keys

      • MSBuild.exe (PID: 6688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(6688) MSBuild.exe
Keys
DES6fc98cd6
Options
Telegram Bot Token6550319952:AAEOAmyOyazxuGVGfN0Hlb66AGjB4cWfSek
Telegram Chat ID5262627523
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:02:27 06:16:16+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 4208128
InitializedDataSize: 28160
UninitializedDataSize: -
EntryPoint: 0x4053ea
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.0.0.6
ProductVersionNumber: 9.0.0.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Sky Email Extractor
CompanyName: Sky Email Extractor
FileDescription: Sky Email Extractor
FileVersion: 9.0.0.6
InternalName: Bztahpxu.exe
LegalCopyright: www.skyextractor.com All rights reserved.
LegalTrademarks: -
OriginalFileName: Bztahpxu.exe
ProductName: Sky Email Extractor
ProductVersion: 9.0.0.6
AssemblyVersion: 9.0.0.6
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe #SNAKE msbuild.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4040"C:\Users\admin\AppData\Local\Temp\fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe" C:\Users\admin\AppData\Local\Temp\fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe
explorer.exe
User:
admin
Company:
Sky Email Extractor
Integrity Level:
MEDIUM
Description:
Sky Email Extractor
Exit code:
0
Version:
9.0.0.6
Modules
Images
c:\users\admin\appdata\local\temp\fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
SnakeKeylogger
(PID) Process(6688) MSBuild.exe
Keys
DES6fc98cd6
Options
Telegram Bot Token6550319952:AAEOAmyOyazxuGVGfN0Hlb66AGjB4cWfSek
Telegram Chat ID5262627523
Total events
3 041
Read events
3 012
Write events
29
Delete events
0

Modification events

(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4040) fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4040fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe.logtext
MD5:7D66E79D2C5C9041774E9ECE6ACD5DA4
SHA256:9F5CD2D065C8010CF73A2353F664FAE1469401673532D2C713D9F86B42827BCA
4040fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exeC:\Users\admin\AppData\Roaming\aaaaaaaaaa.exeexecutable
MD5:744CEF044B2B3DEEE682EAF5700C4246
SHA256:FC00BF8337B313D331CC6FA9BE8FAFF6FC1FA60B5F34CD34604614B52E637FD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
18
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
5928
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
6620
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.01 Kb
unknown
1832
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6688
MSBuild.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
html
105 b
unknown
2464
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5184
SearchApp.exe
92.123.104.61:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
6620
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3848
svchost.exe
239.255.255.250:1900
unknown
5928
svchost.exe
40.126.32.134:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6896
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4040
fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe
162.159.133.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
5928
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.61
  • 92.123.104.5
  • 92.123.104.63
  • 92.123.104.12
  • 92.123.104.56
  • 92.123.104.58
  • 92.123.104.67
  • 92.123.104.59
  • 92.123.104.62
  • 92.123.104.60
  • 92.123.104.64
  • 92.123.104.4
  • 92.123.104.65
  • 92.123.104.66
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cdn.discordapp.com
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.130.233
  • 162.159.135.233
  • 162.159.134.233
shared
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
checkip.dyndns.org
  • 193.122.6.168
  • 158.101.44.242
  • 132.226.247.73
  • 193.122.130.0
  • 132.226.8.169
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
2136
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4040
fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2136
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2136
svchost.exe
Misc activity
AV INFO Query to checkip.dyndns. Domain
6688
MSBuild.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
6688
MSBuild.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2136
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6688
MSBuild.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6688
MSBuild.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fc00bf8337b313d331cc6fa9be8faff6fc1fa60b5f34cd34604614b52e637fd9.exe