Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

fg}.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.897811546999433
Filename:	fg}.exe
Filesize:	59392
MD5:	e9a886374becfb0a5b1dc0ffcee1a04a
SHA1:	c692a6e9437299878b43ea5fa8ee1be0e1f5c782
SHA256:	7e694dfc8060bbbaf8c4139f974696d5fc3be48bd9d9d46eb166f55f7c024fb2
SHA512:	bc9e0affc52ea052eebf1d4b2aff0e89bec9b4780f14914ef14e27bb44a83e266791555fd79b5c1117953b37fe4623b2f6afeffb4f281a0d94e9a4261b882284
SSDEEP:	1536:R3iKaQ7P66xgWbXPIT+VvVkby0A4OiUheAImOF+V3:fPFN0Tg9kby0siA/ROF+V3
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..f............................>.... ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Protects its processes via BreakOnTermination flag	Operating System Destruction
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival
Detected potential crypto function	System Summary	Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\XClient.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\XClient.exe
Category:	dropped
Dump:	XClient.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\fg}.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.897811546999433
Encrypted:	false
Ssdeep:	1536:R3iKaQ7P66xgWbXPIT+VvVkby0A4OiUheAImOF+V3:fPFN0Tg9kby0siA/ROF+V3
Size:	59392
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 21:32:03 2024, mtime=Mon Jul 1 21:32:03 2024, atime=Mon Jul 1 21:32:03 2024, length=59392, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
Category:	dropped
Dump:	XClient.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\fg}.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 21:32:03 2024, mtime=Mon Jul 1 21:32:03 2024, atime=Mon Jul 1 21:32:03 2024, length=59392, window=hide
Entropy:	5.044858479027047
Encrypted:	false
Ssdeep:	12:8S24o6idtChToyedY//pFTr4X7SLcFXXjAXVwNHkMp5mV:8EO8oyZfEX4cFXzAXVwCMp5m
Size:	763
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\fg}.exe

"C:\Users\user\Desktop\fg}.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7540
Target ID:	0
Parent PID:	3504
Name:	fg}.exe
Path:	C:\Users\user\Desktop\fg}.exe
Commandline:	"C:\Users\user\Desktop\fg}.exe"
Size:	59392
MD5:	E9A886374BECFB0A5B1DC0FFCEE1A04A
Time:	18:31:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4d0000
Modulesize:	81920
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

people-climbing.gl.at.ply.gg

Details

Name:	people-climbing.gl.at.ply.gg
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\fg}.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

people-climbing.gl.at.ply.gg

147.185.221.20

Details

Name:	people-climbing.gl.at.ply.gg
IP:	147.185.221.20
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.20

people-climbing.gl.at.ply.gg

United States

Details

IP:	147.185.221.20
TargetID:	0
Current Path:	C:\Users\user\Desktop\fg}.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	people-climbing.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

4D2000

unkown

page readonly

AEF000

heap

page read and write

1AE6D000

stack

page read and write

7FF886D24000

trusted library allocation

page read and write

A63000

heap

page read and write

4D0000

unkown

page readonly

7FF886D1D000

trusted library allocation

page execute and read and write

9F0000

trusted library allocation

page read and write

7FF886D20000

trusted library allocation

page read and write

A20000

trusted library allocation

page read and write

B43000

heap

page read and write

1B67F000

stack

page read and write

27B0000

heap

page read and write

7FF886DBC000

trusted library allocation

page execute and read and write

29E0000

heap

page execute and read and write

5D0000

heap

page read and write

A80000

heap

page read and write

B7C000

heap

page read and write

7FF886D10000

trusted library allocation

page read and write

1B47F000

stack

page read and write

570000

heap

page read and write

B3D000

heap

page read and write

1B8CC000

heap

page read and write

29AE000

stack

page read and write

1C16A000

stack

page read and write

7FF886D03000

trusted library allocation

page execute and read and write

7FF886DB6000

trusted library allocation

page read and write

4D0000

unkown

page readonly

7FF886D04000

trusted library allocation

page read and write

1B8DD000

heap

page read and write

DF0000

heap

page read and write

E05000

heap

page read and write

129F1000

trusted library allocation

page read and write

7FF886DE6000

trusted library allocation

page execute and read and write

1B901000

heap

page read and write

7FF886EA2000

trusted library allocation

page read and write

AF7000

heap

page read and write

1BB74000

stack

page read and write

7FF886D2D000

trusted library allocation

page execute and read and write

AC1000

heap

page read and write

B6B000

heap

page read and write

27AE000

stack

page read and write

7FF886E20000

trusted library allocation

page execute and read and write

A10000

trusted library allocation

page read and write

7FF886DC0000

trusted library allocation

page execute and read and write

E00000

heap

page read and write

AAF000

heap

page read and write

A23000

trusted library allocation

page read and write

8F4000

stack

page read and write

1B880000

heap

page read and write

7FF886DB0000

trusted library allocation

page read and write

A86000

heap

page read and write

1C06B000

stack

page read and write

5A5000

heap

page read and write

303E000

trusted library allocation

page read and write

5A0000

heap

page read and write

1AA20000

trusted library allocation

page read and write

7FF4C9090000

trusted library allocation

page execute and read and write

F0C000

stack

page read and write

1B57E000

stack

page read and write

129F8000

trusted library allocation

page read and write

29F1000

trusted library allocation

page read and write

1BF6C000

stack

page read and write

AAB000

heap

page read and write

7FF886D13000

trusted library allocation

page read and write

7FF886EB0000

trusted library allocation

page execute and read and write

2CE5000

trusted library allocation

page read and write

C7E000

stack

page read and write

1B370000

heap

page execute and read and write

7FF886D0D000

trusted library allocation

page execute and read and write

D7E000

stack

page read and write

7FF886D00000

trusted library allocation

page read and write

1B8CE000

heap

page read and write

A9E000

heap

page read and write

A8C000

heap

page read and write

5B0000

heap

page read and write

AC4000

heap

page read and write

7FF886D5C000

trusted library allocation

page execute and read and write

580000

heap

page read and write

2810000

heap

page read and write

296F000

stack

page read and write

1BA7A000

stack

page read and write

A60000

heap

page read and write

There are 73 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
fg}.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfg}.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
fg}.exe