Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe

"C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7044
Target ID:	0
Parent PID:	1028
Name:	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Commandline:	"C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe"
Size:	240128
MD5:	EA52EB173762DEB852109486758797AD
Time:	12:13:50
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x80000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#

unknown

Details

Name:	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Source:	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org

unknown

https://sectigo.com/CPS0

unknown

Details

Name:	https://sectigo.com/CPS0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Source:	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

http://ocsp.sectigo.com0

unknown

Details

Name:	http://ocsp.sectigo.com0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Source:	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://mail.privateemail.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Source:	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.privateemail.com

198.54.122.135

Details

Name:	mail.privateemail.com
IP:	198.54.122.135
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

198.54.122.135

mail.privateemail.com

United States

Details

IP:	198.54.122.135
TargetID:	0
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Country:	United States
Countrycode:	USA
ASN number:	22612
ASN name:	NAMECHEAP-NETUS
Private:	false
Domain:	mail.privateemail.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	0
Current Path:	C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

82000

unkown

page readonly

25AC000

trusted library allocation

page read and write

2581000

trusted library allocation

page read and write

25B4000

trusted library allocation

page read and write

B60000

trusted library allocation

page read and write

4E3E000

stack

page read and write

5D9F000

stack

page read and write

257D000

trusted library allocation

page read and write

2420000

heap

page execute and read and write

4F7E000

stack

page read and write

B77000

heap

page read and write

5920000

heap

page read and write

907000

trusted library allocation

page execute and read and write

23E2000

trusted library allocation

page read and write

6680000

heap

page read and write

23FD000

trusted library allocation

page read and write

1E0000

heap

page read and write

23DE000

trusted library allocation

page read and write

62C0000

trusted library allocation

page read and write

950000

heap

page read and write

4F8000

stack

page read and write

3559000

trusted library allocation

page read and write

6650000

trusted library allocation

page read and write

6E0000

trusted library allocation

page read and write

4A4C000

stack

page read and write

627F000

stack

page read and write

1C0000

heap

page read and write

5F1E000

stack

page read and write

66D0000

heap

page read and write

4AA0000

heap

page execute and read and write

23EE000

trusted library allocation

page read and write

742000

heap

page read and write

5937000

heap

page read and write

902000

trusted library allocation

page read and write

14A000

stack

page read and write

2330000

trusted library allocation

page read and write

238E000

stack

page read and write

5040000

heap

page read and write

6DD000

trusted library allocation

page execute and read and write

256F000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

735000

heap

page read and write

616D000

trusted library allocation

page read and write

5EDF000

stack

page read and write

23D0000

trusted library allocation

page read and write

4AB3000

heap

page read and write

1B0000

heap

page read and write

7FC80000

trusted library allocation

page execute and read and write

676000

heap

page read and write

571E000

stack

page read and write

920000

trusted library allocation

page read and write

670000

heap

page read and write

46CE000

stack

page read and write

4CFE000

stack

page read and write

4CBC000

stack

page read and write

4F3F000

stack

page read and write

2571000

trusted library allocation

page read and write

615F000

stack

page read and write

23F6000

trusted library allocation

page read and write

61E0000

trusted library allocation

page execute and read and write

61C0000

heap

page read and write

25BF000

trusted library allocation

page read and write

90B000

trusted library allocation

page execute and read and write

5C5E000

stack

page read and write

23EA000

trusted library allocation

page read and write

601D000

stack

page read and write

61D0000

trusted library allocation

page execute and read and write

B70000

heap

page read and write

2567000

trusted library allocation

page read and write

940000

trusted library allocation

page read and write

23CC000

stack

page read and write

6170000

trusted library allocation

page read and write

25A8000

trusted library allocation

page read and write

61BE000

stack

page read and write

6F6000

trusted library allocation

page execute and read and write

252E000

stack

page read and write

6D0000

trusted library allocation

page read and write

23DB000

trusted library allocation

page read and write

7C5000

heap

page read and write

70E000

heap

page read and write

2531000

trusted library allocation

page read and write

6F0000

trusted library allocation

page read and write

73F000

heap

page read and write

6ED000

trusted library allocation

page execute and read and write

930000

trusted library allocation

page execute and read and write

6FA000

trusted library allocation

page execute and read and write

905000

trusted library allocation

page execute and read and write

4DFE000

stack

page read and write

25A6000

trusted library allocation

page read and write

3531000

trusted library allocation

page read and write

70B000

heap

page read and write

5059000

trusted library allocation

page read and write

593E000

heap

page read and write

23F1000

trusted library allocation

page read and write

6D4000

trusted library allocation

page read and write

62D0000

trusted library allocation

page read and write

2340000

heap

page read and write

6F2000

trusted library allocation

page read and write

59A7000

heap

page read and write

7CD000

heap

page read and write

5DDD000

stack

page read and write

6D3000

trusted library allocation

page execute and read and write

59B0000

heap

page read and write

4538000

trusted library allocation

page read and write

4AC0000

heap

page read and write

5C9D000

stack

page read and write

6640000

trusted library allocation

page read and write

6C0000

trusted library allocation

page read and write

7EE000

heap

page read and write

6690000

trusted library allocation

page execute and read and write

4AB0000

heap

page read and write

80000

unkown

page readonly

700000

heap

page read and write

25AA000

trusted library allocation

page read and write

62D7000

trusted library allocation

page read and write

2320000

trusted library allocation

page read and write

503D000

stack

page read and write

605E000

stack

page read and write

6177000

trusted library allocation

page read and write

78F000

heap

page read and write

3599000

trusted library allocation

page read and write

5050000

trusted library allocation

page read and write

There are 112 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe