Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Gj8P0mbklo.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.621191048042736
Filename:	Gj8P0mbklo.exe
Filesize:	362496
MD5:	bad3fa5127efcc9c678c5d71fce0d0b2
SHA1:	c5f49dd54b71eaf4e1ba3a9fdfc51c7fb8afbea8
SHA256:	f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835
SHA512:	5b6d5efa4dcf49a43e992652194d45a407e9482dcd21ff887ae709a98944c21d6b7ea67dc518493c0416e3fd2ee38ed0f02c3b75a762b6784af14f0ce69e78ab
SSDEEP:	6144:5OvAYHNayUljnWrd+VKTEK/AeI8eajd8j4xET4YAOqz/B:5mjNadljnWrd+V0EXzS+4CTNo7B
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K...............D.......D.......D.......@...D...@.......@.......D.......................................Rich...................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System Ingress Tool Transfer
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Found strings which match to known social media urls	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199609719039[1].htm

HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199609719039[1].htm
Category:	dropped
Dump:	76561199609719039[1].htm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Gj8P0mbklo.exe
Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Entropy:	5.386073524863294
Encrypted:	false
Ssdeep:	768:/dpqm+0Ih3YAA9CWGEmfcDAfPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2w:/d8m+0Ih3YAA9CWGEmFfPzzgiJmDzJtT
Size:	34789
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\89737b57-777d-400d-bb7f-77b7e024920e[1].txt

ASCII text, with very long lines (47680), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\89737b57-777d-400d-bb7f-77b7e024920e[1].txt
Category:	dropped
Dump:	89737b57-777d-400d-bb7f-77b7e024920e[1].txt.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Gj8P0mbklo.exe
Type:	ASCII text, with very long lines (47680), with no line terminators
Entropy:	5.362966359018906
Encrypted:	false
Ssdeep:	768:vzsNZzFhOnDMIf19+kXSV0brSxnb22fnc6KWWhv6GYcnvabaMi9idvbU0nagalQb:v0zPO9f1ouYgLvRMymbU0ni4xKjo
Size:	47680
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Gj8P0mbklo.exe

"C:\Users\user\Desktop\Gj8P0mbklo.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6256
Target ID:	0
Parent PID:	4004
Name:	Gj8P0mbklo.exe
Path:	C:\Users\user\Desktop\Gj8P0mbklo.exe
Commandline:	"C:\Users\user\Desktop\Gj8P0mbklo.exe"
Size:	362496
MD5:	BAD3FA5127EFCC9C678C5D71FCE0D0B2
Time:	15:19:53
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x350000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Arc Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://player.vimeo.com

unknown

https://duckduckgo.com/ac/?q=

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://dervinko.biz/Up

104.21.13.203

https://dervinko.biz/Up/bAW

unknown

https://dervinko.biz/Up/b_

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://steamcommunity.com/profiles/76561199609719039/badges

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://dervinko.biz/Up/bistAndAuditAlarmByHandle

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e

104.21.13.203

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://crl.rootca1.amazontrust.com/rootca1.crl0

unknown

http://ocsp.rootca1.amazontrust.com0:

unknown

https://sketchfab.com

unknown

https://www.ecosia.org/newtab/

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://steamcommunity.com/profiles/76561199609719039

23.61.62.148

https://dervinko.biz/q

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://steamcommunity.com/-

unknown

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw

unknown

https://dervinko.biz

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://dervinko.biz/Up/bistAndAuditAlarmByHandleerta

unknown

https://store.steampowered.com/stats/

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

https://steamcommunity.com/profiles/76561199609719039(

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://dervinko.biz/

unknown

https://steamcommunity.com/profiles/76561199609719039B

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://dervinko.biz/Up/byDllc

unknown

https://dervinko.biz/Up/b

104.21.13.203

https://recaptcha.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://steamcommunity.com/profiles/76561199609719039/inventory/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

23.61.62.148

Details

Name:	steamcommunity.com
IP:	23.61.62.148
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

dervinko.biz

104.21.13.203

Details

Name:	dervinko.biz
IP:	104.21.13.203
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

23.61.62.148

steamcommunity.com

United States

Details

IP:	23.61.62.148
TargetID:	0
Current Path:	C:\Users\user\Desktop\Gj8P0mbklo.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.13.203

dervinko.biz

United States

Details

IP:	104.21.13.203
TargetID:	0
Current Path:	C:\Users\user\Desktop\Gj8P0mbklo.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	dervinko.biz

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5125000

heap

page read and write

50E6000

heap

page read and write

274A000

heap

page read and write

3A7000

unkown

page write copy

50CA000

heap

page read and write

5123000

heap

page read and write

50DA000

heap

page read and write

5134000

heap

page read and write

50B8000

heap

page read and write

52D0000

heap

page read and write

5125000

heap

page read and write

2B0F000

stack

page read and write

50CE000

heap

page read and write

2600000

heap

page read and write

50CA000

heap

page read and write

26BE000

stack

page read and write

507F000

heap

page read and write

2835000

heap

page read and write

5087000

heap

page read and write

50C6000

heap

page read and write

2811000

heap

page read and write

2805000

heap

page read and write

47AF000

stack

page read and write

50CE000

heap

page read and write

274E000

heap

page read and write

50DA000

heap

page read and write

3A9000

unkown

page readonly

26E0000

heap

page read and write

350000

unkown

page readonly

2740000

heap

page read and write

50CA000

heap

page read and write

50C7000

heap

page read and write

396000

unkown

page readonly

52E7000

heap

page read and write

4B2E000

stack

page read and write

2803000

heap

page read and write

511B000

heap

page read and write

5307000

heap

page read and write

50CA000

heap

page read and write

50CE000

heap

page read and write

396000

unkown

page readonly

50CE000

heap

page read and write

50CE000

heap

page read and write

52E0000

trusted library allocation

page read and write

48AF000

stack

page read and write

507C000

heap

page read and write

27B1000

heap

page read and write

50DA000

heap

page read and write

50C4000

heap

page read and write

508A000

heap

page read and write

23F0000

heap

page read and write

27C8000

heap

page read and write

509D000

heap

page read and write

50BD000

heap

page read and write

5126000

heap

page read and write

5080000

heap

page read and write

5120000

heap

page read and write

509F000

heap

page read and write

51D1000

heap

page read and write

2A0F000

stack

page read and write

514A000

heap

page read and write

512D000

heap

page read and write

504F000

stack

page read and write

512B000

heap

page read and write

23B000

stack

page read and write

351000

unkown

page execute read

50CA000

heap

page read and write

5132000

heap

page read and write

50C7000

heap

page read and write

52E0000

trusted library allocation

page read and write

5070000

heap

page read and write

5154000

heap

page read and write

531F000

heap

page read and write

50EB000

heap

page read and write

49EE000

stack

page read and write

5121000

heap

page read and write

4DEE000

stack

page read and write

4AEF000

stack

page read and write

350000

unkown

page readonly

4F10000

remote allocation

page read and write

50C8000

heap

page read and write

50EB000

heap

page read and write

50DA000

heap

page read and write

50E6000

heap

page read and write

507D000

heap

page read and write

3A9000

unkown

page readonly

530F000

heap

page read and write

5133000

heap

page read and write

5137000

heap

page read and write

50EE000

heap

page read and write

280E000

heap

page read and write

4F10000

remote allocation

page read and write

5098000

heap

page read and write

4EED000

stack

page read and write

5097000

heap

page read and write

52E7000

heap

page read and write

50CE000

heap

page read and write

510B000

heap

page read and write

5140000

heap

page read and write

50EB000

heap

page read and write

509D000

heap

page read and write

5120000

heap

page read and write

5090000

heap

page read and write

513C000

heap

page read and write

2811000

heap

page read and write

52E0000

heap

page read and write

50EE000

heap

page read and write

4C6D000

stack

page read and write

49AF000

stack

page read and write

508F000

heap

page read and write

27C5000

heap

page read and write

52ED000

heap

page read and write

4360000

heap

page read and write

508C000

heap

page read and write

42EE000

stack

page read and write

507F000

heap

page read and write

50D5000

heap

page read and write

5145000

heap

page read and write

2677000

heap

page read and write

50CD000

heap

page read and write

50CE000

heap

page read and write

273E000

stack

page read and write

351000

unkown

page execute read

4C2E000

stack

page read and write

5078000

heap

page read and write

50CE000

heap

page read and write

4F10000

remote allocation

page read and write

50C1000

heap

page read and write

2670000

heap

page read and write

2675000

heap

page read and write

510B000

heap

page read and write

5142000

heap

page read and write

50EE000

heap

page read and write

2794000

heap

page read and write

264E000

stack

page read and write

507F000

heap

page read and write

4D6C000

stack

page read and write

5120000

heap

page read and write

5138000

heap

page read and write

50D2000

heap

page read and write

4F4E000

stack

page read and write

511F000

heap

page read and write

52FF000

heap

page read and write

52E0000

trusted library allocation

page read and write

5080000

heap

page read and write

51D0000

heap

page read and write

33A000

stack

page read and write

3A7000

unkown

page read and write

5317000

heap

page read and write

512B000

heap

page read and write

507F000

heap

page read and write

432E000

stack

page read and write

There are 142 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Gj8P0mbklo.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportGj8P0mbklo.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Gj8P0mbklo.exe