Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\setup.exe

"C:\Users\user\Desktop\setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6868
Target ID:	0
Parent PID:	2580
Name:	setup.exe
Path:	C:\Users\user\Desktop\setup.exe
Commandline:	"C:\Users\user\Desktop\setup.exe"
Size:	420864
MD5:	1B898DF684811054D405E9C31FDDD80A
Time:	18:10:56
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8b0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6900
Target ID:	1
Parent PID:	6868
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:10:56
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06/fault

unknown

http://tempuri.org/Endpoint/CheckConnectResponseX

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse

unknown

http://tempuri.org/Endpoint/PartInstalledBrowsersLR

unknown

http://tempuri.org/Endpoint/ConfirmResponseX

unknown

http://tempuri.org/Endpoint/PartDiscordLR

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT

unknown

http://tempuri.org/Endpoint/SetEnvironmentResponseX

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06

unknown

http://tempuri.org/Endpoint/GetUpdatesResponseX

unknown

http://tempuri.org/Endpoint/PartLanguagesResponseX

unknown

http://tempuri.org/Endpoint/PartLanguagesLR

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Endpoint/PartInstalledSoftwaresResponseX

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancel

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://tempuri.org/Endpoint/GetUpdatesLR

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal

unknown

http://tempuri.org/Endpoint/PartColdWalletsLR

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/fault

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement

unknown

http://schemas.datacontract.org/2004/07/

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replay

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Aborted

unknown

http://tempuri.org/Endpoint/h

unknown

https://api.ip.sb/geoip%USERPEnvironmentROFILE%

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://tempuri.org/Endpoint/InitDisplayLR

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepared

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Endpoint/PartScannedFilesResponseX

unknown

http://tempuri.org/Endpoint/PartDefendersResponseX

unknown

http://tempuri.org/Endpoint/PartHardwaresLR

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://tempuri.org/Endpoint/PartScannedFilesLR

unknown

http://tempuri.org/Endpoint/PartHardwaresResponseX

unknown

http://tempuri.org/Endpoint/PartTelegramFilesLR

unknown

http://tempuri.org/Endpoint/PartProtonVPNLR

unknown

http://tempuri.org/Endpoint/PartNordVPNLR

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel

unknown

http://tempuri.org/Endpoint/InitDisplayResponseX

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Endpoint/PartProcessesResponseX

unknown

http://tempuri.org/Endpoint/PartTelegramFilesResponseX

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Endpoint/PartInstalledSoftwaresLR

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PC

unknown

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnly

unknown

http://tempuri.org/Endpoint/CheckConnectLR

unknown

http://tempuri.org/Endpoint/PartInstalledBrowsersResponseX

unknown

http://tempuri.org/Endpoint/PartOpenVPNResponseX

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/fault

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel

unknown

http://tempuri.org/8

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence

unknown

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512

unknown

http://tempuri.org/Endpoint/PartProcessesLR

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

http://tempuri.org/Endpoint/EnvironmentSettingsLR

unknown

http://tempuri.org/Endpoint/PartColdWalletsResponseX

unknown

http://tempuri.org/Endpoint/PartProtonVPNResponseX

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse

unknown

http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register

unknown

http://tempuri.org/Endpoint/InitLR

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completion

unknown

http://tempuri.org/Endpoint/PartSteamFilesLR

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://tempuri.org/Endpoint/PartSteamFilesResponseX

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

unknown

http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commit

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/fault

unknown

http://tempuri.org/Endpoint/PartFtpConnectionsLR

unknown

http://tempuri.org/Endpoint/VerifyUpdateLR

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

unknown

http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renew

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

141.94.188.138

unknown

Germany

Details

IP:	141.94.188.138
TargetID:	0
Current Path:	C:\Users\user\Desktop\setup.exe
Country:	Germany
Countrycode:	DEU
ASN number:	680
ASN name:	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3C91000

trusted library allocation

page read and write

53B0000

trusted library section

page read and write

2C91000

trusted library allocation

page read and write

5430000

trusted library allocation

page read and write

ED4000

heap

page read and write

E83000

trusted library allocation

page execute and read and write

DA0000

heap

page read and write

FF7000

trusted library allocation

page execute and read and write

9AC000

stack

page read and write

2DE1000

trusted library allocation

page read and write

5260000

trusted library allocation

page execute and read and write

2C75000

trusted library allocation

page read and write

7FA10000

trusted library allocation

page execute and read and write

2C7B000

trusted library allocation

page read and write

5210000

trusted library allocation

page execute and read and write

FE0000

trusted library allocation

page read and write

2C3E000

trusted library allocation

page read and write

51D0000

trusted library allocation

page read and write

2C26000

trusted library allocation

page read and write

2AE7000

heap

page read and write

DA5000

heap

page read and write

5170000

trusted library allocation

page read and write

EC7000

heap

page read and write

1070000

trusted library allocation

page execute and read and write

8B0000

unkown

page readonly

2C78000

trusted library allocation

page read and write

E9A000

heap

page read and write

E8D000

trusted library allocation

page execute and read and write

E80000

trusted library allocation

page read and write

51AD000

trusted library allocation

page read and write

FE6000

trusted library allocation

page execute and read and write

2C32000

trusted library allocation

page read and write

610E000

stack

page read and write

5230000

trusted library allocation

page read and write

5250000

trusted library allocation

page read and write

D40000

heap

page read and write

5200000

trusted library allocation

page execute and read and write

5450000

trusted library allocation

page read and write

2BEE000

stack

page read and write

2E97000

trusted library allocation

page read and write

5470000

trusted library allocation

page execute and read and write

4E2E000

stack

page read and write

5420000

trusted library allocation

page read and write

1000000

heap

page read and write

D70000

heap

page read and write

51C0000

trusted library allocation

page read and write

E90000

heap

page read and write

FD0000

trusted library allocation

page read and write

2C21000

trusted library allocation

page read and write

5180000

trusted library allocation

page read and write

5240000

trusted library allocation

page read and write

2AAD000

stack

page read and write

FF5000

trusted library allocation

page execute and read and write

55F9000

heap

page read and write

8B2000

unkown

page readonly

D90000

trusted library allocation

page read and write

5480000

trusted library allocation

page read and write

2C50000

trusted library allocation

page read and write

2C70000

trusted library allocation

page read and write

E84000

trusted library allocation

page read and write

3DE6000

trusted library allocation

page read and write

FF2000

trusted library allocation

page read and write

582E000

stack

page read and write

2C60000

heap

page execute and read and write

5191000

trusted library allocation

page read and write

5410000

trusted library allocation

page read and write

FDD000

trusted library allocation

page execute and read and write

D20000

heap

page read and write

51A7000

trusted library allocation

page read and write

1060000

trusted library allocation

page read and write

F05000

heap

page read and write

2EEC000

trusted library allocation

page read and write

D10000

heap

page read and write

2C1B000

trusted library allocation

page read and write

2AB0000

trusted library allocation

page read and write

FFB000

trusted library allocation

page execute and read and write

57EF000

stack

page read and write

5220000

trusted library allocation

page read and write

FE2000

trusted library allocation

page read and write

55FF000

heap

page read and write

54CE000

stack

page read and write

2AE0000

heap

page read and write

2C80000

heap

page execute and read and write

55F0000

heap

page read and write

596E000

stack

page read and write

90B000

unkown

page readonly

918000

unkown

page readonly

1080000

heap

page read and write

2E42000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

5440000

trusted library allocation

page execute and read and write

5460000

heap

page read and write

51B1000

trusted library allocation

page read and write

2A6E000

stack

page read and write

2C10000

trusted library allocation

page read and write

53AF000

stack

page read and write

FEA000

trusted library allocation

page execute and read and write

52AE000

stack

page read and write

592E000

stack

page read and write

CF7000

stack

page read and write

There are 90 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
setup.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsetup.exe

Processes

URLs

IPs

Memdumps

IOC Report
setup.exe