Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

jlO7971vUz.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\AAAEBAFBGIDHCBFHIECFCBGHIE

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\BKJKEBGDHDAFHJKEGIID

ASCII text, with very long lines (1743), with CRLF line terminators

dropped

C:\ProgramData\DGCFHIDA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\FBKFCFBFIDGCGDHJDBKFHCFBGI

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\JDBFIIEBGCAKKEBFBAAFIIEGCF

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\JDBGHIIDAECBFIDHIIDGIIIIII

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\JDGCGHCGHCBFHJJKKJEH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KFIJJEGH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KJJJKFIIIJJJECAAEHDB

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

data

dropped

There are 14 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\jlO7971vUz.exe

"C:\Users\user\Desktop\jlO7971vUz.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2380
Target ID:	0
Parent PID:	1028
Name:	jlO7971vUz.exe
Path:	C:\Users\user\Desktop\jlO7971vUz.exe
Commandline:	"C:\Users\user\Desktop\jlO7971vUz.exe"
Size:	15461583
MD5:	4BFE7A656D28F578CA10ABA4C225FF41
Time:	07:01:54
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb30000
Modulesize:	708608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\jlO7971vUz.exe" & del "C:\ProgramData\*.dll"" & exit

Details

Is windows:	true
Is dropped:	false
PID:	6152
Target ID:	3
Parent PID:	2380
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\jlO7971vUz.exe" & del "C:\ProgramData\*.dll"" & exit
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	07:02:16
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample uses string decryption to hide its real strings	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5340
Target ID:	4
Parent PID:	6152
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:02:16
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Details

Is windows:	true
Is dropped:	false
PID:	3140
Target ID:	5
Parent PID:	6152
Name:	timeout.exe
Path:	C:\Windows\SysWOW64\timeout.exe
Commandline:	timeout /t 5
Size:	25088
MD5:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Time:	07:02:17
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x370000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://147.45.78.162/d82daa352ff6e06f/freebl3.dll

147.45.78.162

http://147.45.78.162/d82daa352ff6e06f/nss3.dll

147.45.78.162

http://147.45.78.162/d82daa352ff6e06f/mozglue.dll

147.45.78.162

http://147.45.78.162/d82daa352ff6e06f/vcruntime140.dll

147.45.78.162

147.45.78.162/a17861b9cb6f1a53.php

http://147.45.78.162/d82daa352ff6e06f/sqlite3.dll

147.45.78.162

http://147.45.78.162/d82daa352ff6e06f/msvcp140.dll

147.45.78.162

http://147.45.78.162/d82daa352ff6e06f/softokn3.dll

147.45.78.162

http://147.45.78.162/a17861b9cb6f1a53.php

147.45.78.162

http://147.45.78.162

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://duckduckgo.com/ac/?q=

unknown

https://mozilla.org0/

unknown

http://147.45.78.162/a17861b9cb6f1a53.phpX

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://147.45.78.162/d82daa352ff6e06f/freebl3.dll1

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.

unknown

http://147.45.78.162/d82daa352ff6e06f/nss3.dll_=

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://147.45.78.162/d82daa352ff6e06f/softokn3.dllw

unknown

https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg

unknown

http://147.45.78.162/a17861b9cb6f1a53.php.0//EN

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://147.45.78.162/d82daa352ff6e06f/mozglue.dllW

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL

unknown

https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477

unknown

https://support.mozilla.org

unknown

http://147.45.78.162/d82daa352ff6e06f/msvcp140.dll#

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://www.sqlite.org/copyright.html.

unknown

There are 29 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

147.45.78.162

unknown

Russian Federation

Details

IP:	147.45.78.162
TargetID:	0
Current Path:	C:\Users\user\Desktop\jlO7971vUz.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

13AE000

heap

page read and write

1690000

heap

page read and write

17E0000

direct allocation

page execute and read and write

6C4D0000

unkown

page readonly

27CC0000

heap

page read and write

B49000

unkown

page read and write

16D1000

heap

page read and write

27D2A000

heap

page read and write

16BF000

heap

page read and write

16D2000

heap

page read and write

21CB6000

heap

page read and write

16E5000

heap

page read and write

21D52000

heap

page read and write

16F4000

heap

page read and write

149C000

heap

page read and write

23FC000

stack

page read and write

2DF40000

heap

page read and write

B31000

unkown

page execute read

61EB7000

direct allocation

page readonly

16D6000

heap

page read and write

16C9000

heap

page read and write

1413000

heap

page read and write

1B88D000

stack

page read and write

FFE000

stack

page read and write

16E4000

heap

page read and write

16D9000

heap

page read and write

2640000

heap

page read and write

13A0000

heap

page read and write

16D9000

heap

page read and write

F70000

heap

page read and write

FBE000

stack

page read and write

16C0000

heap

page read and write

2B5F000

stack

page read and write

16F4000

heap

page read and write

B49000

unkown

page write copy

1B64E000

stack

page read and write

61ED4000

direct allocation

page readonly

17CE000

stack

page read and write

16D2000

heap

page read and write

16E4000

heap

page read and write

6C431000

unkown

page execute read

17D8000

heap

page read and write

16E5000

heap

page read and write

16CC000

heap

page read and write

16F4000

heap

page read and write

16D6000

heap

page read and write

16D1000

heap

page read and write

268E000

stack

page read and write

6C6AF000

unkown

page write copy

2800000

heap

page read and write

6C4AD000

unkown

page readonly

16D9000

heap

page read and write

16D6000

heap

page read and write

2DF4B000

heap

page read and write

182E000

direct allocation

page execute and read and write

6C6B5000

unkown

page readonly

16BF000

heap

page read and write

16C4000

heap

page read and write

16D5000

heap

page read and write

16C4000

heap

page read and write

1B60E000

stack

page read and write

16F3000

heap

page read and write

16CC000

heap

page read and write

16E4000

heap

page read and write

B30000

unkown

page readonly

188A000

direct allocation

page execute and read and write

B30000

unkown

page readonly

16F4000

heap

page read and write

16E5000

heap

page read and write

16F4000

heap

page read and write

34140000

heap

page read and write

27D3A000

heap

page read and write

2690000

heap

page read and write

6C6AE000

unkown

page read and write

1BCA8000

heap

page read and write

17D7000

heap

page read and write

16CC000

heap

page read and write

1A17000

direct allocation

page execute and read and write

1BBA0000

heap

page read and write

16B8000

heap

page read and write

61E01000

direct allocation

page execute read

1B3CE000

stack

page read and write

16F4000

heap

page read and write

2697000

heap

page read and write

61ED0000

direct allocation

page read and write

16E4000

heap

page read and write

16D6000

heap

page read and write

13F5000

heap

page read and write

16D5000

heap

page read and write

16D1000

heap

page read and write

33FCB000

stack

page read and write

16C4000

heap

page read and write

BDB000

unkown

page readonly

61ECD000

direct allocation

page readonly

16BB000

heap

page read and write

1BBA1000

heap

page read and write

16C3000

heap

page read and write

BB3000

unkown

page readonly

12F4000

stack

page read and write

6C430000

unkown

page readonly

27D0000

heap

page read and write

16C4000

heap

page read and write

17DB000

heap

page read and write

27D7D000

heap

page read and write

16D1000

heap

page read and write

16D6000

heap

page read and write

17D0000

heap

page read and write

27D55000

heap

page read and write

3424C000

stack

page read and write

B4A000

unkown

page readonly

14B5000

heap

page read and write

13AB000

heap

page read and write

B4A000

unkown

page readonly

B42000

unkown

page readonly

1BB90000

heap

page read and write

16D9000

heap

page read and write

2DF46000

heap

page read and write

23BC000

stack

page read and write

16EF000

heap

page read and write

16CF000

heap

page read and write

16BF000

heap

page read and write

16D1000

heap

page read and write

6C4C2000

unkown

page readonly

17DB000

heap

page read and write

1B9CC000

stack

page read and write

1360000

heap

page read and write

16F4000

heap

page read and write

1B4CF000

stack

page read and write

16CF000

heap

page read and write

16D9000

heap

page read and write

2DD9E000

stack

page read and write

16D9000

heap

page read and write

16EF000

heap

page read and write

16E4000

heap

page read and write

42D0000

heap

page read and write

168F000

stack

page read and write

16C3000

heap

page read and write

16F2000

heap

page read and write

16D0000

heap

page read and write

1B74F000

stack

page read and write

6C6B0000

unkown

page read and write

16F4000

heap

page read and write

16E3000

heap

page read and write

16D9000

heap

page read and write

340EB000

stack

page read and write

16C4000

heap

page read and write

1A05000

direct allocation

page execute and read and write

61ECC000

direct allocation

page read and write

16D4000

heap

page read and write

2B1E000

stack

page read and write

1B8CD000

stack

page read and write

2DF43000

heap

page read and write

14B0000

heap

page read and write

1B38F000

stack

page read and write

16D9000

heap

page read and write

1B78D000

stack

page read and write

192D000

direct allocation

page execute and read and write

16D8000

heap

page read and write

61E00000

direct allocation

page execute and read and write

1BA6E000

stack

page read and write

17DB000

heap

page read and write

1B1F000

stack

page read and write

F60000

heap

page read and write

16D1000

heap

page read and write

B42000

unkown

page readonly

16DE000

heap

page read and write

F0C000

stack

page read and write

6C4BE000

unkown

page read and write

2DEDB000

stack

page read and write

16D5000

heap

page read and write

16D9000

heap

page read and write

21C15000

heap

page read and write

16BF000

heap

page read and write

16D9000

heap

page read and write

16F4000

heap

page read and write

16D7000

heap

page read and write

16CA000

heap

page read and write

6C4D1000

unkown

page execute read

27CF000

stack

page read and write

16F4000

heap

page read and write

16DF000

heap

page read and write

61EB4000

direct allocation

page read and write

6C66F000

unkown

page readonly

2DE9F000

stack

page read and write

16D9000

heap

page read and write

B31000

unkown

page execute read

16F4000

heap

page read and write

BDB000

unkown

page readonly

1BCA0000

trusted library allocation

page read and write

61ED3000

direct allocation

page read and write

2DF38000

heap

page read and write

16CD000

heap

page read and write

16D6000

heap

page read and write

16BF000

heap

page read and write

16CC000

heap

page read and write

1B50E000

stack

page read and write

16D9000

heap

page read and write

16D1000

heap

page read and write

16BF000

heap

page read and write

16E4000

heap

page read and write

14B7000

heap

page read and write

16BF000

heap

page read and write

1BB6D000

stack

page read and write

16BF000

heap

page read and write

BB3000

unkown

page readonly

27D50000

heap

page read and write

16F4000

heap

page read and write

There are 197 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
jlO7971vUz.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportjlO7971vUz.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
jlO7971vUz.exe