Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

scan copy.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.927498035897839
Filename:	scan copy.exe
Filesize:	841216
MD5:	70081b623e77616333b19e7bc186dd66
SHA1:	bc730c03095bbb3fb85773d564774b7fa2a4f2c9
SHA256:	90c2430071000bba0378a0e404c636df13958a02fa97b4ed19c1230da402da8f
SHA512:	1e34aa19d8299387e54fe9764ab9c5334a0b91049ed31a7333c3b1fbbeb43dd0b449eb7b538a64ae7c2ebc13dc2ed63e2a8a9667e0b472edff2d7dc50f2251d6
SSDEEP:	12288:cj2+TW+8LeXbSIrEPrWgeBG9BH79/UXQU4PIFQhIe8Gk1zesgqkkdR9CTt9XQo:cWLe+9oG9poQU47leeYkK9CTt9XQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....$.f.........."...0.................. .....@..... ....................................@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Binary contains paths to development resources	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scan copy.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scan copy.exe.log
Category:	dropped
Dump:	scan copy.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\scan copy.exe
Type:	CSV text
Entropy:	5.380493107040482
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
Size:	1510
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\scan copy.exe

"C:\Users\user\Desktop\scan copy.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7260
Target ID:	0
Parent PID:	4084
Name:	scan copy.exe
Class:	system-tools
Path:	C:\Users\user\Desktop\scan copy.exe
Commandline:	"C:\Users\user\Desktop\scan copy.exe"
Size:	841216
MD5:	70081B623E77616333B19E7BC186DD66
Time:	06:25:18
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	851968
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\scan copy.exe

"C:\Users\user\Desktop\scan copy.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7344
Target ID:	2
Parent PID:	7260
Name:	scan copy.exe
Class:	system-tools
Path:	C:\Users\user\Desktop\scan copy.exe
Commandline:	"C:\Users\user\Desktop\scan copy.exe"
Size:	841216
MD5:	70081B623E77616333B19E7BC186DD66
Time:	06:25:19
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x570000
Modulesize:	851968
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

https://reallyfreegeoip.org/xml/8.46.123.33p

unknown

http://checkip.dyndns.org/

132.226.8.169

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.8.169

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	2
Current Path:	C:\Users\user\Desktop\scan copy.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.8.169

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\scan copy_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

140002000

remote allocation

page execute and read and write

3742000

trusted library allocation

page read and write

13C65000

trusted library allocation

page read and write

3501000

trusted library allocation

page read and write

E50000

heap

page read and write

37D7000

trusted library allocation

page read and write

3B00000

trusted library allocation

page read and write

1CF00000

heap

page read and write

386A000

trusted library allocation

page read and write

DF2000

stack

page read and write

EAB000

heap

page read and write

7B5000

heap

page read and write

177E000

stack

page read and write

7FFB4B51C000

trusted library allocation

page execute and read and write

7FFB4B48D000

trusted library allocation

page execute and read and write

1810000

heap

page read and write

E78000

heap

page read and write

13501000

trusted library allocation

page read and write

5D2000

unkown

page readonly

7FFB4B462000

trusted library allocation

page read and write

1CD00000

heap

page read and write

3732000

trusted library allocation

page read and write

36FB000

trusted library allocation

page read and write

7FFB4B500000

trusted library allocation

page read and write

366B000

trusted library allocation

page read and write

7D0000

heap

page read and write

1D1E0000

trusted library section

page read and write

1C13E000

stack

page read and write

5D0000

unkown

page readonly

1E24F000

stack

page read and write

1905000

heap

page read and write

36B8000

trusted library allocation

page read and write

1EA8E000

stack

page read and write

36E7000

trusted library allocation

page read and write

2CD0000

heap

page execute and read and write

381E000

trusted library allocation

page read and write

2C23000

trusted library allocation

page read and write

7FFB4B570000

trusted library allocation

page execute and read and write

7B0000

heap

page read and write

7FFB4B4BC000

trusted library allocation

page execute and read and write

E98000

heap

page read and write

135A1000

trusted library allocation

page read and write

1E68D000

stack

page read and write

7FFB4B484000

trusted library allocation

page read and write

EDC000

heap

page read and write

E70000

heap

page read and write

1CDD7000

heap

page read and write

1C580000

heap

page read and write

7FFB4B473000

trusted library allocation

page read and write

3612000

trusted library allocation

page read and write

1900000

heap

page read and write

7FFB4B480000

trusted library allocation

page read and write

37EA000

trusted library allocation

page read and write

790000

heap

page read and write

E8C000

heap

page read and write

1C5E0000

heap

page read and write

140000000

remote allocation

page execute and read and write

EC0000

heap

page read and write

7FFB4B47D000

trusted library allocation

page execute and read and write

7FFB4B463000

trusted library allocation

page execute and read and write

1C58E000

stack

page read and write

1358B000

trusted library allocation

page read and write

2CF0000

heap

page read and write

35EC000

trusted library allocation

page read and write

EB1000

heap

page read and write

3A5E000

stack

page read and write

7FFB4B67D000

trusted library allocation

page read and write

7FFB4B650000

trusted library allocation

page read and write

36A8000

trusted library allocation

page read and write

13B7B000

trusted library allocation

page read and write

37F3000

trusted library allocation

page read and write

7FFB4B470000

trusted library allocation

page read and write

18E0000

trusted library allocation

page read and write

7FFB4B48B000

trusted library allocation

page execute and read and write

7FFB4B657000

trusted library allocation

page read and write

7FFB4B474000

trusted library allocation

page read and write

7FFB4B45D000

trusted library allocation

page execute and read and write

137E000

stack

page read and write

7FFB4B5F0000

trusted library allocation

page read and write

1CE14000

heap

page read and write

F0D000

heap

page read and write

7FFB4B653000

trusted library allocation

page read and write

7FFB4B50C000

trusted library allocation

page execute and read and write

7FFB4B46D000

trusted library allocation

page execute and read and write

1CFD4000

heap

page read and write

7FFB4B460000

trusted library allocation

page read and write

7FFB4B47D000

trusted library allocation

page execute and read and write

36AC000

trusted library allocation

page read and write

E20000

heap

page read and write

1ECE0000

heap

page read and write

13570000

trusted library allocation

page read and write

E80000

heap

page read and write

3602000

trusted library allocation

page read and write

1C1DC000

stack

page read and write

1C150000

heap

page read and write

1C610000

heap

page execute and read and write

7FFB4B506000

trusted library allocation

page read and write

E25000

heap

page read and write

370E000

trusted library allocation

page read and write

185A000

heap

page read and write

7FFB4B536000

trusted library allocation

page execute and read and write

7D5000

heap

page read and write

1DE4F000

stack

page read and write

13594000

trusted library allocation

page read and write

3667000

trusted library allocation

page read and write

7FFB4B454000

trusted library allocation

page read and write

7FFB4B4AC000

trusted library allocation

page execute and read and write

7FFB4B610000

trusted library allocation

page execute and read and write

365A000

trusted library allocation

page read and write

7FFB4B625000

trusted library allocation

page read and write

DED000

stack

page read and write

37D1000

trusted library allocation

page read and write

7FFB4B660000

trusted library allocation

page read and write

3642000

trusted library allocation

page read and write

3640000

trusted library section

page read and write

E86000

heap

page read and write

37EF000

trusted library allocation

page read and write

7FF4C5480000

trusted library allocation

page execute and read and write

1C180000

heap

page read and write

13A71000

trusted library allocation

page read and write

3663000

trusted library allocation

page read and write

1C7A0000

heap

page read and write

7FFB4B470000

trusted library allocation

page read and write

37CC000

trusted library allocation

page read and write

E40000

trusted library allocation

page read and write

7FFB4B600000

trusted library allocation

page read and write

1C8F0000

heap

page read and write

2C40000

heap

page execute and read and write

7FFB4B464000

trusted library allocation

page read and write

13A68000

trusted library allocation

page read and write

7FFB4B679000

trusted library allocation

page read and write

7FFB4B684000

trusted library allocation

page read and write

7FFB4B628000

trusted library allocation

page read and write

7FFB4B660000

trusted library allocation

page execute and read and write

7FFB4B46D000

trusted library allocation

page execute and read and write

1E28E000

stack

page read and write

710000

heap

page read and write

1CCFD000

stack

page read and write

1BA90000

trusted library allocation

page read and write

30FE000

stack

page read and write

36B4000

trusted library allocation

page read and write

35FA000

trusted library allocation

page read and write

7FFB4B630000

trusted library allocation

page read and write

7FFB4B620000

trusted library allocation

page execute and read and write

3670000

trusted library allocation

page read and write

36BC000

trusted library allocation

page read and write

7FFB4B640000

trusted library allocation

page read and write

7FFB4B630000

trusted library allocation

page execute and read and write

E00000

heap

page read and write

1850000

heap

page read and write

EC3000

heap

page read and write

ED8000

heap

page read and write

EAA000

heap

page read and write

1CE2B000

heap

page read and write

7FFB4B620000

trusted library allocation

page read and write

1E64E000

stack

page read and write

6B0000

heap

page read and write

1DA4E000

stack

page read and write

7FFB4B516000

trusted library allocation

page read and write

2C20000

trusted library allocation

page read and write

7FFB4B640000

trusted library allocation

page read and write

1BC7D000

stack

page read and write

3A61000

trusted library allocation

page read and write

36B0000

trusted library allocation

page read and write

1790000

trusted library allocation

page read and write

35EF000

trusted library allocation

page read and write

E60000

trusted library allocation

page read and write

2CCF000

stack

page read and write

1C690000

heap

page read and write

7FFB4B580000

trusted library allocation

page execute and read and write

7FFB4B453000

trusted library allocation

page execute and read and write

7E0000

heap

page read and write

3831000

trusted library allocation

page read and write

1C790000

heap

page read and write

E00000

heap

page read and write

34B0000

heap

page read and write

1CE1B000

heap

page read and write

7FFB4B600000

trusted library allocation

page read and write

1CDD5000

heap

page read and write

36C0000

trusted library allocation

page read and write

1D0E000

stack

page read and write

7FFB4B510000

trusted library allocation

page execute and read and write

7FFB4B460000

trusted library allocation

page read and write

7FFB4B520000

trusted library allocation

page execute and read and write

7FFB4B510000

trusted library allocation

page read and write

136E000

stack

page read and write

F0F000

heap

page read and write

7FFB4B610000

trusted library allocation

page execute and read and write

F69000

heap

page read and write

1C183000

heap

page read and write

372C000

trusted library allocation

page read and write

E30000

heap

page read and write

1CD90000

heap

page read and write

1C560000

trusted library section

page read and write

17B0000

trusted library allocation

page read and write

1CE00000

heap

page read and write

E95000

heap

page read and write

7FFB4B462000

trusted library allocation

page read and write

7FFB4B450000

trusted library allocation

page read and write

3824000

trusted library allocation

page read and write

37E1000

trusted library allocation

page read and write

F13000

heap

page read and write

EEF000

heap

page read and write

EB0000

heap

page read and write

1D64F000

stack

page read and write

7FFB4B546000

trusted library allocation

page execute and read and write

13A61000

trusted library allocation

page read and write

7FFB4B650000

trusted library allocation

page read and write

1C540000

trusted library section

page read and write

EAE000

heap

page read and write

36D4000

trusted library allocation

page read and write

382B000

trusted library allocation

page read and write

EF7000

heap

page read and write

3650000

heap

page execute and read and write

F7D000

heap

page read and write

1C693000

heap

page read and write

There are 206 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
scan copy.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportscan copy.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
scan copy.exe