Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

Table of Contents
0362-24 SHINRYO.exe 22412A42B02E2ACE2AE37F7A509870E6 A668A4A28A16050C8D132F1D381AA95CC00B990F 49152:YPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtAvzb:KP/mp7t3T4+B/btosJwIA4hHmZlKH2TH MALICIOUS SUSPICIOUS INFO TRiD EXIF Behavior graph Process information Modification events Dropped files HTTP requests Connections DNS requests Threats

File name:

0362-24 SHINRYO.exe

Full analysis: https://app.any.run/tasks/d299b288-5a34-408b-a2b5-c1f60d326cbb
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker>>>

Analysis date: August 08, 2024, 09:25:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:

evasion

snake

keylogger

telegram

stealer

Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

22412A42B02E2ACE2AE37F7A509870E6

SHA1:

A668A4A28A16050C8D132F1D381AA95CC00B990F

SHA256:
SSDEEP:

49152:YPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtAvzb:KP/mp7t3T4+B/btosJwIA4hHmZlKH2TH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0362-24 SHINRYO.exe (PID: 6388)

    • Create files in the Startup directory

      • name.exe (PID: 6472)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 6528)

    • Scans artifacts that could help determine the target

      • RegSvcs.exe (PID: 6528)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 6528)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6528)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6528)

  • SUSPICIOUS

    • Starts itself from another location

      • 0362-24 SHINRYO.exe (PID: 6388)

    • Executable content was dropped or overwritten

      • 0362-24 SHINRYO.exe (PID: 6388)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • RegSvcs.exe (PID: 6528)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 6528)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegSvcs.exe (PID: 6528)

  • INFO

    • Checks supported languages

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)
      • RegSvcs.exe (PID: 6528)

    • Create files in a temporary directory

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)

    • Reads the machine GUID from the registry

      • 0362-24 SHINRYO.exe (PID: 6388)
      • RegSvcs.exe (PID: 6528)

    • Reads mouse settings

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)

    • Creates files or folders in the user directory

      • 0362-24 SHINRYO.exe (PID: 6388)
      • name.exe (PID: 6472)

    • Reads Environment values

      • RegSvcs.exe (PID: 6528)

    • Checks proxy server information

      • RegSvcs.exe (PID: 6528)

    • Disables trace logs

      • RegSvcs.exe (PID: 6528)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 6528)

    • Reads Microsoft Office registry keys

      • RegSvcs.exe (PID: 6528)

    • Attempting to use instant messaging service

      • RegSvcs.exe (PID: 6528)
      • svchost.exe (PID: 2256)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x20577
UninitializedDataSize: -
InitializedDataSize: 498176
CodeSize: 633856
LinkerVersion: 14.16
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:08:07 01:36:12+00:00
MachineType: Intel 386 or later, and compatibles

No data.

Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (1)

All screenshots are available in the full report

All screenshots are available in the

full report

Total processes

135

Monitored processes

4

Malicious processes

3

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6388"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exeexplorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images

c:\users\admin\appdata\local\temp\0362-24 shinryo.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

c:\windows\syswow64\psapi.dll

6472"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Users\admin\AppData\Local\directory\name.exe0362-24 SHINRYO.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images

c:\users\admin\appdata\local\directory\name.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

c:\windows\syswow64\psapi.dll

6528"C:\Users\admin\AppData\Local\Temp\0362-24 SHINRYO.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exename.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images

c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\combase.dll

c:\windows\syswow64\bcryptprimitives.dll

c:\windows\syswow64\uxtheme.dll

c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll

c:\windows\assembly\nativeimages_v4.0.30319_32\system\a4caf3619115bb96d9443fdc0d0fe612\system.ni.dll

c:\windows\microsoft.net\assembly\gac_msil\microsoft.visualbasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\microsoft.visualbasic.dll

2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exeservices.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\svchost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\combase.dll

c:\windows\system32\kernel.appcore.dll

Total events

1897

Read events

1882

Write events

15

Delete events

Modification events

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize

Value:

1048576

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory

Value:

%windir%\tracing

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(6528)RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing

Value:

Executable files

1

Suspicious files

7

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\pensumbinary

MD5:27B4ED6713AD2AD2956A2B30C55B893D

SHA256:499B2AEB7E8B76BD8F16EC067FC1C4D5CD2D2FC61198248528A72F9C472A7C46

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\aut5020.tmpbinary

MD5:54B982A7D36409EB3F6F75607442664C

SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\aut5000.tmpbinary

MD5:679273B570FFBC74C52D6F9824BD3C85

SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903

6472name.exeC:\Users\admin\AppData\Local\Temp\aut5418.tmpbinary

MD5:54B982A7D36409EB3F6F75607442664C

SHA256:1D3F1F8DEADE90230DE7E4984E4644EB7519EE18DC1257C8772A75BEC2CCECAE

6472name.exeC:\Users\admin\AppData\Local\Temp\aut5407.tmpbinary

MD5:679273B570FFBC74C52D6F9824BD3C85

SHA256:EBB41283F1C8B82437128BBDF405843151BBC3ACDF1124CA01E7D9A73128A903

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\Temp\murkybinary

MD5:017BCEA1C7763767036D28762E8250FD

SHA256:DA4E9450BD5D15BAC93980EB5044974E5A5297479CB640EA46D73FC94ABAF870

6472name.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsbinary

MD5:8D36AEBB434979DC95BD369F5BBAC124

SHA256:2A4F18E7C423B6707A83926BCDA45179137A2CE168C7BB4267EF28AB7EB73E13

63880362-24 SHINRYO.exeC:\Users\admin\AppData\Local\directory\name.exeexecutable

MD5:22412A42B02E2ACE2AE37F7A509870E6

SHA256:E19655A97F263D76EE3A2AE3F9E36B92B19FD9182D786EBB543FA6184B54D2DF

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

15

TCP/UDP connections

48

DNS requests

20

Threats

HTTP requests

PID

Process

Method

HTTP Code

IP

URL

CN

Type

Size

Reputation

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

6528

RegSvcs.exe

GET

200

132.226.247.73:80

http://checkip.dyndns.org/

unknown

unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

1784

svchost.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

3268

RUXIMICS.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

2120

MoUsoCoreWorker.exe

4.231.128.59:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

whitelisted

3888

svchost.exe

239.255.255.250:1900

whitelisted

4

System

192.168.100.255:138

whitelisted

6528

RegSvcs.exe

132.226.247.73:80

checkip.dyndns.org

ORACLE-BMC-31898

BR

unknown

6528

RegSvcs.exe

188.114.96.3:443

reallyfreegeoip.org

CLOUDFLARENET

NL

unknown

4

System

192.168.100.255:137

whitelisted

6528

RegSvcs.exe

149.154.167.220:443

api.telegram.org

Telegram Messenger Inc

GB

unknown

1784

svchost.exe

40.127.240.158:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

IE

unknown

DNS requests

Domain

IP

Reputation

settings-win.data.microsoft.com

  • 4.231.128.59
  • 40.127.240.158

whitelisted

google.com

  • 142.250.185.142

whitelisted

checkip.dyndns.org

  • 132.226.247.73
  • 158.101.44.242
  • 193.122.6.168
  • 193.122.130.0
  • 132.226.8.169

shared

reallyfreegeoip.org

  • 188.114.96.3
  • 188.114.97.3

malicious

api.telegram.org

  • 149.154.167.220

shared

www.bing.com

  • 2.23.209.179
  • 2.23.209.173
  • 2.23.209.176
  • 2.23.209.178
  • 2.23.209.168
  • 2.23.209.171
  • 2.23.209.180
  • 2.23.209.181
  • 2.23.209.175

whitelisted

ocsp.digicert.com

  • 192.229.221.95

whitelisted

login.live.com

  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.74

whitelisted

client.wns.windows.com

  • 40.113.103.199

whitelisted

th.bing.com

  • 2.23.209.179
  • 2.23.209.173
  • 2.23.209.176
  • 2.23.209.178
  • 2.23.209.168
  • 2.23.209.171
  • 2.23.209.180
  • 2.23.209.181
  • 2.23.209.175

whitelisted

Threats

PID

Process

Class

Message

2256

svchost.exe

Device Retrieving External IP Address Detected

ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET INFO 404/Snake/Matiex Keylogger Style External IP Check

2256

svchost.exe

Misc activity

ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Misc activity

ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

6528

RegSvcs.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup - checkip.dyndns.org

No debug info

Malware analysis 0362-24 SHINRYO.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)
Top Articles
Corn And Tater Fest 2023
Bostick Tompkins Obituaries Columbia Sc
Mchoul Funeral Home Of Fishkill Inc. Services
Toa Guide Osrs
Global Foods Trading GmbH, Biebesheim a. Rhein
Pet For Sale Craigslist
Using GPT for translation: How to get the best outcomes
Shoe Game Lit Svg
Gabriel Kuhn Y Daniel Perry Video
Craigslist Nj North Cars By Owner
Beds From Rent-A-Center
Delectable Birthday Dyes
Gameplay Clarkston
Slapstick Sound Effect Crossword
Sunday World Northern Ireland
Natureza e Qualidade de Produtos - Gestão da Qualidade
Call Follower Osrs
The Weather Channel Facebook
Nj Scratch Off Remaining Prizes
Builders Best Do It Center
Nitti Sanitation Holiday Schedule
Void Touched Curio
800-695-2780
Bx11
Air Force Chief Results
Labby Memorial Funeral Homes Leesville Obituaries
ZURU - XSHOT - Insanity Mad Mega Barrel - Speelgoedblaster - Met 72 pijltjes | bol
Exterior insulation details for a laminated timber gothic arch cabin - GreenBuildingAdvisor
Aldi Bruce B Downs
Craigslist Alo
Inkwell, pen rests and nib boxes made of pewter, glass and porcelain.
Victory for Belron® company Carglass® Germany and ATU as European Court of Justice defends a fair and level playing field in the automotive aftermarket
When His Eyes Opened Chapter 3123
Craigslist Brandon Vt
Mcclendon's Near Me
Christmas Days Away
134 Paige St. Owego Ny
15 Downer Way, Crosswicks, NJ 08515 - MLS NJBL2072416 - Coldwell Banker
Here’s how you can get a foot detox at home!
Omnistorm Necro Diablo 4
Craigslist - Pets for Sale or Adoption in Hawley, PA
1Exquisitetaste
No Boundaries Pants For Men
Gotrax Scooter Error Code E2
Deepwoken: How To Unlock All Fighting Styles Guide - Item Level Gaming
Sandra Sancc
Argus Leader Obits Today
Wwba Baseball
Okta Hendrick Login
Grandma's Portuguese Sweet Bread Recipe Made from Scratch
Haunted Mansion Showtimes Near The Grand 14 - Ambassador
Latest Posts
Flight Of The Cromenockle
Her Triplet Alphas Chapter 32
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 5708

Rating: 4.6 / 5 (56 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.