Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

File name:

0362-24 SHINRYO.exe

Full analysis: https://app.any.run/tasks/d299b288-5a34-408b-a2b5-c1f60d326cbb
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker>>>

Analysis date: August 08, 2024, 09:25:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:

evasion

snake

keylogger

telegram

stealer

Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

22412A42B02E2ACE2AE37F7A509870E6

SHA1:

A668A4A28A16050C8D132F1D381AA95CC00B990F

SHA256:
SSDEEP:

49152:YPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtAvzb:KP/mp7t3T4+B/btosJwIA4hHmZlKH2TH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0362-24 SHINRYO.exe (PID: 6388)
    • Create files in the Startup directory

      • name.exe (PID: 6472)
    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 6528)
    • Scans artifacts that could help determine the target

      • RegSvcs.exe (PID: 6528)
    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 6528)
    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6528)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6528)
  • SUSPICIOUS

    • Starts itself from another location

      • 0362-24 SHINRYO.exe (PID: 6388)
    • Executable content was dropped or overwritten

      • 0362-24 SHINRYO.exe (PID: 6388)
    • Checks for external IP

      • svchost.exe (PID: 2256)
      • RegSvcs.exe (PID: 6528)
    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 6528)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegSvcs.exe (PID: 6528)
  • INFO

    • Checks supported languages

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)
      • RegSvcs.exe (PID: 6528)
    • Create files in a temporary directory

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)
    • Reads the machine GUID from the registry

      • 0362-24 SHINRYO.exe (PID: 6388)
      • RegSvcs.exe (PID: 6528)
    • Reads mouse settings

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)
    • Creates files or folders in the user directory

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)
    • Reads Environment values

      • RegSvcs.exe (PID: 6528)
    • Checks proxy server information

      • RegSvcs.exe (PID: 6528)
    • Disables trace logs

      • RegSvcs.exe (PID: 6528)
    • Reads the software policy settings

      • RegSvcs.exe (PID: 6528)
    • Reads Microsoft Office registry keys

      • RegSvcs.exe (PID: 6528)
    • Attempting to use instant messaging service

      • RegSvcs.exe (PID: 6528)
      • svchost.exe (PID: 2256)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x20577
UninitializedDataSize: -
InitializedDataSize: 498176
CodeSize: 633856
LinkerVersion: 14.16
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:08:07 01:36:12+00:00
MachineType: Intel 386 or later, and compatibles

No data.

Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (1)

All screenshots are available in the full report

All screenshots are available in the

full report

Total processes

135

Monitored processes

4

Malicious processes

3

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6388"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exeexplorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images

c:\users\admin\appdata\local\temp\0362-24 shinryo.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

c:\windows\syswow64\psapi.dll

6472"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Users\admin\AppData\Local\directory\name.exe0362-24 SHINRYO.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images

c:\users\admin\appdata\local\directory\name.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

c:\windows\syswow64\psapi.dll

6528"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exename.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images

c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\combase.dll

c:\windows\syswow64\bcryptprimitives.dll

c:\windows\syswow64\uxtheme.dll

c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll

c:\windows\assembly\nativeimages_v4.0.30319_32\system\a4caf3619115bb96d9443fdc0d0fe612\system.ni.dll

c:\windows\microsoft.net\assembly\gac_msil\microsoft.visualbasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\microsoft.visualbasic.dll

2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exeservices.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\svchost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\combase.dll

c:\windows\system32\kernel.appcore.dll

Total events

1897

Read events

1882

Write events

15

Delete events

Modification events

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize

Value:

1048576

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory

Value:

%windir%\tracing

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing

Value:

Executable files

1

Suspicious files

7

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\pensumbinary

MD5:27B4ED6713AD2AD2956A2B30C55B893D

SHA256:499B2AEB7E8B76BD8F16EC067FC1C4D5CD2D2FC61198248528A72F9C472A7C46

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\aut5020.tmpbinary

MD5:54B982A7D36409EB3F6F75607442664C

SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\aut5000.tmpbinary

MD5:679273B570FFBC74C52D6F9824BD3C85

SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903

6472name.exeC:\Users\admin\AppData\Local\Temp\aut5418.tmpbinary

MD5:54B982A7D36409EB3F6F75607442664C

SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE

6472name.exeC:\Users\admin\AppData\Local\Temp\aut5407.tmpbinary

MD5:679273B570FFBC74C52D6F9824BD3C85

SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\murkybinary

MD5:017BCEA1C7763767036D28762E8250FD

SHA256:DA4E9450BD5D15BAC93980EB5044974E5A5297479CB640EA46D73FC94ABAF870

6472name.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsbinary

MD5:8D36AEBB434979DC95BD369F5BBAC124

SHA256:2A4F18E7C423B6707A83926BCDA45179137A2CE168C7BB4267EF28AB7EB73E13

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\directory\name.exeexecutable

MD5:22412A42B02E2ACE2AE37F7A509870E6

SHA256:E19655A97F263D76EE3A2AE3F9E36B92B19FD9182D786EBB543FA6184B54D2DF

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

15

TCP/UDP connections

48

DNS requests

20

Threats

HTTP requests

PID

Process

Method

HTTP Code

IP

URL

CN

Type

Size

Reputation

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

1784

svchost.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

3268

RUXIMICS.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

2120

MoUsoCoreWorker.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

3888

svchost.exe

239.255.255.250:1900

whitelisted

4

System

192.168.100.255:138

whitelisted

6528

RegSvcs.exe

132.226.247.73:80

checkip.dyndns.org

ORACLE-BMC-31898

BR

unknown

6528

RegSvcs.exe

188.114.96.3:443

reallyfreegeoip.org

CLOUDFLARENET

NL

unknown

4

System

192.168.100.255:137

whitelisted

6528

RegSvcs.exe

149.154.167.220:443

api.telegram.org

Telegram Messenger Inc

GB

unknown

1784

svchost.exe

40.127.240.158:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

unknown

DNS requests

Domain

IP

Reputation

settings-win.data.microsoft.com

  • 4.231.128.59
  • 40.127.240.158

whitelisted

google.com

  • 142.250.185.142

whitelisted

checkip.dyndns.org

  • 132.226.247.73
  • 158.101.44.242
  • 193.122.6.168
  • 193.122.130.0
  • 132.226.8.169

shared

reallyfreegeoip.org

  • 188.114.96.3
  • 188.114.97.3

malicious

api.telegram.org

  • 149.154.167.220

shared

www.bing.com

  • 2.23.209.179
  • 2.23.209.173
  • 2.23.209.176
  • 2.23.209.178
  • 2.23.209.168
  • 2.23.209.171
  • 2.23.209.180
  • 2.23.209.181
  • 2.23.209.175

whitelisted

ocsp.digicert.com

  • 192.229.221.95

whitelisted

login.live.com

  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.74

whitelisted

client.wns.windows.com

  • 40.113.103.199

whitelisted

th.bing.com

  • 2.23.209.179
  • 2.23.209.173
  • 2.23.209.176
  • 2.23.209.178
  • 2.23.209.168
  • 2.23.209.171
  • 2.23.209.180
  • 2.23.209.181
  • 2.23.209.175

whitelisted

Threats

PID

Process

Class

Message

2256

svchost.exe

Device Retrieving External IP Address Detected

ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET INFO 404/Snake/Matiex Keylogger Style External IP Check

2256

svchost.exe

Misc activity

ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Misc activity

ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

No debug info

Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

FAQs

What is malware analysis sandbox? ›

A sandbox is a system for malware detection that runs a suspicious object in a virtual machine (VM) with a fully-featured OS and detects the object's malicious activity by analyzing its behavior. If the object performs malicious actions in a VM, the sandbox detects it as malware.

What is malware sandbox 7? ›

A malware sandbox is a virtual environment where malware can be safely executed and analyzed without causing harm to the host system. It is an essential tool for cybersecurity professionals to understand the behavior of malware and develop effective defenses against it.

What is sandbox detected? ›

he term Sandbox Detection refers to a variety of evasion techniques that malware uses to determine whether or not it is being identified and executed within a sandbox.

What is Android security sandbox? ›

Android sandbox

The Android platform isolates apps from each other and protects them -- and the overall system -- from malicious apps and intruders. Android assigns a unique user ID (UID) to each application to create a kernel-level sandbox. This kernel ensures security between apps and the system at the process level.

What is sandbox on my phone? ›

This isolates apps from each other and protects apps and the system from malicious apps. To do this, Android assigns a unique user ID (UID) to each Android application and runs it in its own process. Android uses the UID to set up a kernel-level Application Sandbox.

Is using sandbox safe? ›

When sandboxing is used for testing, it creates a safe place to install and execute a program, particularly a suspicious one, without exposing the rest of your system. If the application contains malicious code, it can run within the sandbox without impacting any other components of your network.

Can viruses bypass sandbox? ›

Sandboxing is a proven way to detect malware and prevent its execution. However, malicious actors search for ways to teach their malware to stay inactive in the sandbox. Sandbox-evading malware can bypass protections and execute malicious code without being detected by modern cybersecurity solutions.

What is a sandbox in data analysis? ›

A data sandbox is a secure and secluded environment that allows data analysts and data scientists to explore, experiment, and collaborate with data without jeopardizing the safety and integrity of the main data repository.

Is Windows sandbox good for malware analysis? ›

The Windows 10 Sandbox acts as an isolated environment that can be used for testing potentially malicious code. Nothing run inside the sandbox environment should harm the primary operating system, and the sandbox is automatically reset to a pristine state each time it is used.

What is the purpose of a sandbox for testing? ›

A sandbox is an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run.

What is sandbox used for in cyber security? ›

Sandboxing is designed to prevent threats from getting on the network and is frequently used to inspect untested or untrusted code. Sandboxing keeps the code relegated to a test environment so it doesn't infect or cause damage to the host machine or operating system.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 5685

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.