File name: | 0362-24 SHINRYO.exe |
Full analysis: | https://app.any.run/tasks/d299b288-5a34-408b-a2b5-c1f60d326cbb |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Malware Trends Tracker>>> |
Analysis date: | August 08, 2024, 09:25:49 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | evasion snake keylogger telegram stealer |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 22412A42B02E2ACE2AE37F7A509870E6 |
SHA1: | A668A4A28A16050C8D132F1D381AA95CC00B990F |
SHA256: | |
SSDEEP: | 49152:YPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtAvzb:KP/mp7t3T4+B/btosJwIA4hHmZlKH2TH |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Drops the executable file immediately after the start
- 0362-24 SHINRYO.exe (PID: 6388)
Create files in the Startup directory
- name.exe (PID: 6472)
SNAKEKEYLOGGER has been detected (SURICATA)
- RegSvcs.exe (PID: 6528)
Scans artifacts that could help determine the target
- RegSvcs.exe (PID: 6528)
SNAKE has been detected (YARA)
- RegSvcs.exe (PID: 6528)
Steals credentials from Web Browsers
- RegSvcs.exe (PID: 6528)
Actions looks like stealing of personal data
- RegSvcs.exe (PID: 6528)
SUSPICIOUS
Starts itself from another location
- 0362-24 SHINRYO.exe (PID: 6388)
Executable content was dropped or overwritten
- 0362-24 SHINRYO.exe (PID: 6388)
Checks for external IP
- svchost.exe (PID: 2256)
- RegSvcs.exe (PID: 6528)
The process verifies whether the antivirus software is installed
- RegSvcs.exe (PID: 6528)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- RegSvcs.exe (PID: 6528)
INFO
Checks supported languages
- 0362-24 SHINRYO.exe (PID: 6388)
- name.exe (PID: 6472)
- RegSvcs.exe (PID: 6528)
Create files in a temporary directory
- 0362-24 SHINRYO.exe (PID: 6388)
- name.exe (PID: 6472)
Reads the machine GUID from the registry
- 0362-24 SHINRYO.exe (PID: 6388)
- RegSvcs.exe (PID: 6528)
Reads mouse settings
- 0362-24 SHINRYO.exe (PID: 6388)
- name.exe (PID: 6472)
Creates files or folders in the user directory
- 0362-24 SHINRYO.exe (PID: 6388)
- name.exe (PID: 6472)
Reads Environment values
- RegSvcs.exe (PID: 6528)
Checks proxy server information
- RegSvcs.exe (PID: 6528)
Disables trace logs
- RegSvcs.exe (PID: 6528)
Reads the software policy settings
- RegSvcs.exe (PID: 6528)
Reads Microsoft Office registry keys
- RegSvcs.exe (PID: 6528)
Attempting to use instant messaging service
- RegSvcs.exe (PID: 6528)
- svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportNo Malware configuration.
TRiD
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
CharacterSet: | Unicode |
---|---|
LanguageCode: | English (British) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x20577 |
UninitializedDataSize: | - |
InitializedDataSize: | 498176 |
CodeSize: | 633856 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
TimeStamp: | 2024:08:07 01:36:12+00:00 |
MachineType: | Intel 386 or later, and compatibles |
No data.
Total processes
135
Monitored processes
4
Malicious processes
3
Suspicious processes
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6388 | "C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" | C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
6472 | "C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" | C:\Users\admin\AppData\Local\directory\name.exe | 0362-24 SHINRYO.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
6528 | "C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | name.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
Total events
1897
Read events
1882
Write events
15
Delete events
Modification events
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing |
Operation: | write | Name: | EnableConsoleTracing |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: | |||
(PID) Process: | (6528)RegSvcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS |
Operation: | write | Name: | EnableAutoFileTracing |
Value: |
Executable files
1
Suspicious files
7
Text files
Unknown types
Dropped files
PID | Process | Filename | Type | |
---|---|---|---|---|
6388 | 0362-24 SHINRYO.exe | C:\Users\admin\AppData\Local\Temp\pensum | binary | |
MD5:27B4ED6713AD2AD2956A2B30C55B893D | SHA256:499B2AEB7E8B76BD8F16EC067FC1C4D5CD2D2FC61198248528A72F9C472A7C46 | |||
6388 | 0362-24 SHINRYO.exe | C:\Users\admin\AppData\Local\Temp\aut5020.tmp | binary | |
MD5:54B982A7D36409EB3F6F75607442664C | SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE | |||
6388 | 0362-24 SHINRYO.exe | C:\Users\admin\AppData\Local\Temp\aut5000.tmp | binary | |
MD5:679273B570FFBC74C52D6F9824BD3C85 | SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903 | |||
6472 | name.exe | C:\Users\admin\AppData\Local\Temp\aut5418.tmp | binary | |
MD5:54B982A7D36409EB3F6F75607442664C | SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE | |||
6472 | name.exe | C:\Users\admin\AppData\Local\Temp\aut5407.tmp | binary | |
MD5:679273B570FFBC74C52D6F9824BD3C85 | SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903 | |||
6388 | 0362-24 SHINRYO.exe | C:\Users\admin\AppData\Local\Temp\murky | binary | |
MD5:017BCEA1C7763767036D28762E8250FD | SHA256:DA4E9450BD5D15BAC93980EB5044974E5A5297479CB640EA46D73FC94ABAF870 | |||
6472 | name.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | binary | |
MD5:8D36AEBB434979DC95BD369F5BBAC124 | SHA256:2A4F18E7C423B6707A83926BCDA45179137A2CE168C7BB4267EF28AB7EB73E13 | |||
6388 | 0362-24 SHINRYO.exe | C:\Users\admin\AppData\Local\directory\name.exe | executable | |
MD5:22412A42B02E2ACE2AE37F7A509870E6 | SHA256:E19655A97F263D76EE3A2AE3F9E36B92B19FD9182D786EBB543FA6184B54D2DF |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
15
TCP/UDP connections
48
DNS requests
20
Threats
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
6528 | RegSvcs.exe | GET | 200 | 132.226.247.73:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1784 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3268 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6528 | RegSvcs.exe | 132.226.247.73:80 | checkip.dyndns.org | ORACLE-BMC-31898 | BR | unknown |
6528 | RegSvcs.exe | 188.114.96.3:443 | reallyfreegeoip.org | CLOUDFLARENET | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6528 | RegSvcs.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | unknown |
1784 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
DNS requests
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
checkip.dyndns.org |
| shared |
reallyfreegeoip.org |
| malicious |
api.telegram.org |
| shared |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
th.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
---|---|---|---|
2256 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET INFO 404/Snake/Matiex Keylogger Style External IP Check |
2256 | svchost.exe | Misc activity | ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
6528 | RegSvcs.exe | Misc activity | ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
6528 | RegSvcs.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
No debug info