Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Products Order.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.10191984815915
Filename:	Products Order.exe
Filesize:	775680
MD5:	ab09f11ddb556069549717cc1f37fdc1
SHA1:	e4cba5e88d12df5f9b0eb1dab978b48d63f6b57b
SHA256:	6946d0d3322995d1c4a8f407b8a627e37644dcc4ddef07b97167f9a4e57b0ee1
SHA512:	c85c518d4216cb9316f96d70240093f4193e5817d761623371f9d6cb011c6d2cb2b8c78162bde04e46baa3add624bdb87c9a506eff97326a34b6a271192f34ba
SSDEEP:	3072:dYbDPtd2epEFbMkbNZG46Xz3kFE0bFd+m0de2fcRMBLEFx11Hiv2MN+lEEUMIbhp:2BjkbNNhNHG+96+ixbcdWtoBr
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....uDf.................8..........^V... ...`....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code contains very large strings	System Summary
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Yara signature match	System Summary	Process Injection
.NET source code contains many randomly named methods	Data Obfuscation	Process Injection Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Process Injection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Products Order.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Products Order.exe.log
Category:	dropped
Dump:	Products Order.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Products Order.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\188E93\31437F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\188E93\31437F.lck
Category:	dropped
Dump:	31437F.lck.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Type:	data
Entropy:	1.168829563685559
Encrypted:	false
Ssdeep:	3:/lSll2DQi:AoMi
Size:	47
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Products Order.exe

"C:\Users\user\Desktop\Products Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3436
Target ID:	0
Parent PID:	1028
Name:	Products Order.exe
Path:	C:\Users\user\Desktop\Products Order.exe
Commandline:	"C:\Users\user\Desktop\Products Order.exe"
Size:	775680
MD5:	AB09F11DDB556069549717CC1F37FDC1
Time:	00:36:49
Date:	16/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x430000
Modulesize:	794624
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: AspNetCompiler Execution	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5352
Target ID:	2
Parent PID:	3436
Name:	aspnet_compiler.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Size:	56368
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Time:	00:36:50
Date:	16/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: AspNetCompiler Execution	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Products Order.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

45.90.57.51/big/five/fre.php

Details

Name:	45.90.57.51/big/five/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Products Order.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Products Order.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://45.90.57.51/big/five/fre.php

45.90.57.51

Details

Name:	http://45.90.57.51/big/five/fre.php
IP:	45.90.57.51
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Products Order.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Products Order.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://www.ibsensoftware.com/

unknown

IPs

Domain

Country

Malicious

45.90.57.51

unknown

Bulgaria

Details

IP:	45.90.57.51
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	204957
ASN name:	GREENFLOID-ASUA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

2A2D000

trusted library allocation

page read and write

12AA6000

trusted library allocation

page read and write

4B6000

unkown

page readonly

778000

heap

page read and write

2D82000

trusted library allocation

page read and write

1C000

unkown

page readonly

2E7B000

trusted library allocation

page read and write

2BF8000

trusted library allocation

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

29E2000

trusted library allocation

page read and write

2BFA000

trusted library allocation

page read and write

D90000

heap

page read and write

7FF848EA0000

trusted library allocation

page read and write

2A26000

trusted library allocation

page read and write

2A1F000

trusted library allocation

page read and write

10000

unkown

page readonly

2E46000

trusted library allocation

page read and write

580000

heap

page read and write

1A910000

trusted library allocation

page read and write

2C07000

trusted library allocation

page read and write

28DE000

stack

page read and write

2D6B000

trusted library allocation

page read and write

2E81000

trusted library allocation

page read and write

2E48000

trusted library allocation

page read and write

A50000

trusted library section

page read and write

7FF848DFD000

trusted library allocation

page execute and read and write

7FF4893F0000

trusted library allocation

page execute and read and write

2D7E000

trusted library allocation

page read and write

F9E000

stack

page read and write

2DA0000

trusted library allocation

page read and write

7FF848E00000

trusted library allocation

page read and write

2E8A000

trusted library allocation

page read and write

2E3C000

trusted library allocation

page read and write

2A1B000

trusted library allocation

page read and write

2A0D000

trusted library allocation

page read and write

4B1000

unkown

page readonly

2E6A000

trusted library allocation

page read and write

12989000

trusted library allocation

page read and write

1035000

heap

page read and write

4C0000

heap

page read and write

128E8000

trusted library allocation

page read and write

1030000

heap

page read and write

2DA4000

trusted library allocation

page read and write

2D94000

trusted library allocation

page read and write

7FF848ED6000

trusted library allocation

page execute and read and write

2A19000

trusted library allocation

page read and write

2E68000

trusted library allocation

page read and write

29E6000

trusted library allocation

page read and write

12AC0000

trusted library allocation

page read and write

12940000

trusted library allocation

page read and write

29EA000

trusted library allocation

page read and write

2D5F000

trusted library allocation

page read and write

2E4E000

trusted library allocation

page read and write

7FF848DF4000

trusted library allocation

page read and write

1B380000

heap

page read and write

2BDA000

trusted library allocation

page read and write

2BE7000

trusted library allocation

page read and write

2B50000

trusted library allocation

page read and write

2E5D000

trusted library allocation

page read and write

29E4000

trusted library allocation

page read and write

29FC000

trusted library allocation

page read and write

29F7000

trusted library allocation

page read and write

ACF000

heap

page read and write

2D6D000

trusted library allocation

page read and write

A10000

trusted library allocation

page read and write

B0C000

heap

page read and write

AA6000

heap

page read and write

7FF848F90000

trusted library allocation

page read and write

1B58E000

stack

page read and write

2D8D000

trusted library allocation

page read and write

AE2000

heap

page read and write

AA0000

heap

page read and write

7FF848E4C000

trusted library allocation

page execute and read and write

2BD2000

trusted library allocation

page read and write

AD2000

heap

page read and write

1B78F000

stack

page read and write

2A17000

trusted library allocation

page read and write

8F2000

stack

page read and write

128E1000

trusted library allocation

page read and write

5C0000

heap

page read and write

2220000

heap

page read and write

2E5F000

trusted library allocation

page read and write

276F000

stack

page read and write

129D1000

trusted library allocation

page read and write

2DA2000

trusted library allocation

page read and write

7FF848EB0000

trusted library allocation

page execute and read and write

4D9000

unkown

page readonly

2BD4000

trusted library allocation

page read and write

2BC7000

trusted library allocation

page read and write

2E4C000

trusted library allocation

page read and write

2D8B000

trusted library allocation

page read and write

590000

heap

page read and write

5D0000

heap

page read and write

1B68F000

stack

page read and write

1AE6D000

stack

page read and write

430000

unkown

page readonly

2BC1000

trusted library allocation

page read and write

21AE000

stack

page read and write

128E3000

trusted library allocation

page read and write

2BC5000

trusted library allocation

page read and write

A20000

heap

page execute and read and write

29E8000

trusted library allocation

page read and write

B0E000

heap

page read and write

750000

heap

page read and write

7FF848E04000

trusted library allocation

page read and write

5A0000

heap

page read and write

12A19000

trusted library allocation

page read and write

29F3000

trusted library allocation

page read and write

1B48E000

stack

page read and write

2BFC000

trusted library allocation

page read and write

AD4000

heap

page read and write

2DAD000

trusted library allocation

page read and write

2E59000

trusted library allocation

page read and write

D95000

heap

page read and write

2E57000

trusted library allocation

page read and write

266F000

stack

page read and write

2E4A000

trusted library allocation

page read and write

2D7A000

trusted library allocation

page read and write

4C9000

unkown

page readonly

2D6F000

trusted library allocation

page read and write

C9E000

stack

page read and write

2BF6000

trusted library allocation

page read and write

12A61000

trusted library allocation

page read and write

AAC000

heap

page read and write

2A04000

trusted library allocation

page read and write

215E000

stack

page read and write

5B0000

heap

page read and write

48E000

unkown

page readonly

2BD8000

trusted library allocation

page read and write

2E7D000

trusted library allocation

page read and write

1AC000

stack

page read and write

E9E000

stack

page read and write

430000

unkown

page readonly

B6E000

heap

page read and write

1AC68000

heap

page read and write

7FF848E10000

trusted library allocation

page read and write

2E7F000

trusted library allocation

page read and write

AC000

stack

page read and write

2A1D000

trusted library allocation

page read and write

2BE3000

trusted library allocation

page read and write

29F9000

trusted library allocation

page read and write

5B0000

heap

page read and write

28E1000

trusted library allocation

page read and write

ADF000

heap

page read and write

1B1B0000

heap

page read and write

2D80000

trusted library allocation

page read and write

5D0000

heap

page read and write

7FF848F10000

trusted library allocation

page execute and read and write

2E5B000

trusted library allocation

page read and write

2BD6000

trusted library allocation

page read and write

12000

unkown

page readonly

432000

unkown

page readonly

2D9E000

trusted library allocation

page read and write

2E71000

trusted library allocation

page read and write

4D2000

unkown

page readonly

2D7C000

trusted library allocation

page read and write

9F0000

trusted library allocation

page read and write

5B5000

heap

page read and write

12AE3000

trusted library allocation

page read and write

2BC9000

trusted library allocation

page read and write

ACA000

heap

page read and write

2A06000

trusted library allocation

page read and write

770000

heap

page read and write

2D67000

trusted library allocation

page read and write

A90000

heap

page read and write

4A0000

remote allocation

page execute and read and write

There are 157 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Products Order.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportProducts Order.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
Products Order.exe