Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Client.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.432909545249053
Filename:	Client.exe
Filesize:	67072
MD5:	83e3936ceff5bb0e3666a998e4100f51
SHA1:	884fe1206cbbdc31760391bce50d46386a73be96
SHA256:	0f605bb968b3cd3d7ec59533ea618a518b8668c23671ed15327fcd39dc70e7fa
SHA512:	8a8ba8b0df62bf1b83bdc3f83115c104b664510c2d072a9385a80473ea0f829a77b4c83fb2100697b82e54e699e2850e252af39ce5216a63bed19075c275235b
SSDEEP:	1536:c4TO8tKMh0Fwub9R+Z2jSbAcPHriCdJLMzibDtZ:vOFwub9kkjSbAWrRnMze
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."po..........."...0.................. ... ....@.. .......................`............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Client.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.99584879649948
Encrypted:	true
Ssdeep:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
Size:	69993
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Client.exe
Type:	data
Entropy:	3.221905162567841
Encrypted:	false
Ssdeep:	6:kKplllEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:xlllbkPlE99SNxAhUeVLVt
Size:	330
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Client.exe

"C:\Users\user\Desktop\Client.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6936
Target ID:	0
Parent PID:	4056
Name:	Client.exe
Path:	C:\Users\user\Desktop\Client.exe
Commandline:	"C:\Users\user\Desktop\Client.exe"
Size:	67072
MD5:	83E3936CEFF5BB0E3666A998E4100F51
Time:	09:14:41
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcc0000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6700
Target ID:	2
Parent PID:	6936
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:14:41
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

torenta2.vpndns.net

Details

Name:	torenta2.vpndns.net
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Client.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

torenta2.vpndns.net

168.119.211.236

Details

Name:	torenta2.vpndns.net
IP:	168.119.211.236
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

bg.microsoft.map.fastly.net

199.232.214.172

IPs

Domain

Country

Malicious

168.119.211.236

torenta2.vpndns.net

Germany

Details

IP:	168.119.211.236
TargetID:	0
Current Path:	C:\Users\user\Desktop\Client.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	torenta2.vpndns.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

3081000

trusted library allocation

page read and write

CC2000

unkown

page readonly

6460000

trusted library allocation

page read and write

2D82000

trusted library allocation

page read and write

5595000

heap

page read and write

2D70000

trusted library allocation

page read and write

2D7A000

trusted library allocation

page execute and read and write

2D54000

trusted library allocation

page read and write

311C000

trusted library allocation

page read and write

2D76000

trusted library allocation

page execute and read and write

5628000

heap

page read and write

666C000

stack

page read and write

598E000

stack

page read and write

158E000

stack

page read and write

2D53000

trusted library allocation

page execute and read and write

1207000

heap

page read and write

2D80000

trusted library allocation

page read and write

148E000

stack

page read and write

11E0000

heap

page read and write

1250000

heap

page read and write

2FF0000

heap

page read and write

67AE000

stack

page read and write

6226000

trusted library allocation

page read and write

2E90000

trusted library allocation

page execute and read and write

DC5000

heap

page read and write

652C000

stack

page read and write

12EF000

heap

page read and write

6F9E000

stack

page read and write

134E000

stack

page read and write

6229000

trusted library allocation

page read and write

5C4E000

stack

page read and write

FF670000

trusted library allocation

page execute and read and write

588E000

stack

page read and write

1283000

heap

page read and write

2D50000

trusted library allocation

page read and write

144E000

stack

page read and write

643E000

stack

page read and write

574D000

stack

page read and write

3010000

trusted library allocation

page read and write

64EF000

stack

page read and write

5590000

heap

page read and write

1210000

heap

page read and write

5FB1000

heap

page read and write

54FE000

stack

page read and write

73CFF000

unkown

page readonly

5646000

heap

page read and write

59CE000

stack

page read and write

2D40000

trusted library allocation

page read and write

CC0000

unkown

page readonly

12D2000

heap

page read and write

5550000

heap

page read and write

517D000

stack

page read and write

2DEE000

stack

page read and write

10F9000

stack

page read and write

682C000

stack

page read and write

629E000

stack

page read and write

2EA0000

heap

page read and write

3038000

trusted library allocation

page read and write

2D72000

trusted library allocation

page read and write

5ACE000

stack

page read and write

2FAE000

stack

page read and write

1253000

heap

page read and write

2D60000

trusted library allocation

page read and write

73CF6000

unkown

page readonly

68C0000

heap

page read and write

5E98000

heap

page read and write

DC0000

heap

page read and write

624B000

trusted library allocation

page read and write

6249000

trusted library allocation

page read and write

6235000

trusted library allocation

page read and write

5540000

heap

page execute and read and write

3070000

heap

page execute and read and write

2D5D000

trusted library allocation

page execute and read and write

5F2C000

heap

page read and write

73CE0000

unkown

page readonly

DF0000

heap

page read and write

67EE000

stack

page read and write

71DC000

stack

page read and write

5E90000

heap

page read and write

D6C000

stack

page read and write

11E7000

heap

page read and write

2FEC000

stack

page read and write

73CFD000

unkown

page read and write

5642000

heap

page read and write

4089000

trusted library allocation

page read and write

5634000

heap

page read and write

1200000

heap

page read and write

3030000

trusted library allocation

page read and write

68B0000

heap

page read and write

324E000

trusted library allocation

page read and write

4081000

trusted library allocation

page read and write

5D4F000

stack

page read and write

6204000

trusted library allocation

page read and write

2DA0000

trusted library allocation

page read and write

1245000

heap

page read and write

72DE000

stack

page read and write

6240000

trusted library allocation

page read and write

563E000

heap

page read and write

2D87000

trusted library allocation

page execute and read and write

6214000

trusted library allocation

page read and write

662D000

stack

page read and write

7350000

trusted library allocation

page execute and read and write

DE0000

heap

page read and write

553E000

stack

page read and write

676E000

stack

page read and write

121E000

heap

page read and write

64AD000

stack

page read and write

1218000

heap

page read and write

5EB0000

heap

page read and write

5F98000

heap

page read and write

2DF8000

trusted library allocation

page read and write

4087000

trusted library allocation

page read and write

73CE1000

unkown

page execute read

584E000

stack

page read and write

12E0000

heap

page read and write

2D8B000

trusted library allocation

page execute and read and write

6250000

trusted library allocation

page read and write

There are 107 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Client.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportClient.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Client.exe