Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

i3NmF0obCm.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\AEBKFIJEGCAAFHJKFCFCAAAAEG

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

C:\ProgramData\AKFHDBFIDAECAAAKEGDA

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\DGCBKECAKFBGCAKECGIE

ASCII text, with very long lines (1809), with CRLF line terminators

dropped

C:\ProgramData\EGCGHCBK

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\GCGDGHCB

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\GDGDHJJDGHCAAAKEHIJKEBAEGH

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\GDHCGDGIEBKJKFHJJKFCBFBGDA

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\JJKJDAEBFCBKECBGDBFC

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

data

dropped

There are 13 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\i3NmF0obCm.exe

"C:\Users\user\Desktop\i3NmF0obCm.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6304
Target ID:	0
Parent PID:	2580
Name:	i3NmF0obCm.exe
Path:	C:\Users\user\Desktop\i3NmF0obCm.exe
Commandline:	"C:\Users\user\Desktop\i3NmF0obCm.exe"
Size:	161792
MD5:	253CCAC8A47B80287F651987C0C779EA
Time:	01:30:58
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	2342912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file has a writeable .text section	System Summary
Sample uses string decryption to hide its real strings	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://40.86.87.10/b13597c85f807692/msvcp140.dll

40.86.87.10

http://40.86.87.10/b13597c85f807692/freebl3.dll

40.86.87.10

http://40.86.87.10

unknown

http://40.86.87.10/b13597c85f807692/vcruntime140.dll

40.86.87.10

http://40.86.87.10/b13597c85f807692/sqlite3.dll

40.86.87.10

http://40.86.87.10/108e010e8f91c38c.php

40.86.87.10

http://40.86.87.10/108e010e8f91c38c.

unknown

http://40.86.87.10/b13597c85f807692/mozglue.dll

40.86.87.10

http://40.86.87.10/b13597c85f807692/softokn3.dll

40.86.87.10

http://40.86.87.10/b13597c85f807692/nss3.dll

40.86.87.10

https://duckduckgo.com/chrome_newtab

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

http://40.86.87.10/108e010e8f91c38c.php(

unknown

https://duckduckgo.com/ac/?q=

unknown

http://40.86.87.10/108e010e8f91c38c.php%

unknown

http://40.86.87.10/b13597c85f807692/softokn3.dllJtx

unknown

https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.

unknown

http://40.86.87.10/108e010e8f91c38c.php:

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://40.86.87.10/108e010e8f91c38c.php9

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

http://40.86.87.10/108e010e8f91c38c.php2

unknown

http://40.86.87.10/b13597c85f807692/mozglue.dllv

unknown

http://40.86.87.10/b13597c85f807692/nss3.dllowser

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://40.86.87.10/b13597c85f807692/freebl3.dll$

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://40.86.87.10/108e010e8f91c38c.php~

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe

unknown

http://40.86.87.10/b13597c85f807692/mozglue.dllL

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94

unknown

http://www.sqlite.org/copyright.html.

unknown

https://cdn.epnacl

unknown

http://40.86.87.10/b13597c85f807692/freebl3.dll:

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://40.86.87.10/108e010e8f91c38c.phposition:

unknown

http://40.86.87.10/108e010e8f91c38c.phpe

unknown

http://40.86.87.10/108e010e8f91c38c.phpirefox

unknown

http://40.86.87.10/b13597c85f807692/nss3.dllll

unknown

http://40.86.87.10/b13597c85f807692/nss3.dllllU

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

http://40.86.87.10/108e010e8f91c38c.php976cbc684762e42ee25308426ba0ad93

unknown

http://40.86.87.10/108e010e8f91c38c.phpv

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://cdn.ep

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://40.86.87.10/108e010e8f91c38c.phpI

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://40.86.87.10/b13597c85f807692/nss3.dllQ

unknown

http://40.86.87.10/108e010e8f91c38c.php-LTC

unknown

https://support.mozilla.org

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 49 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

40.86.87.10

unknown

United States

Details

IP:	40.86.87.10
TargetID:	0
Current Path:	C:\Users\user\Desktop\i3NmF0obCm.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

131E000

heap

page read and write

EE1000

unkown

page execute and write copy

EE1000

unkown

page execute and write copy

158E000

stack

page read and write

1218000

stack

page read and write

1B7D0000

heap

page read and write

21859000

heap

page read and write

21860000

heap

page read and write

13FE000

heap

page read and write

21860000

heap

page read and write

27A7E000

heap

page read and write

160E000

stack

page read and write

13F2000

heap

page read and write

1B7D1000

heap

page read and write

27A1A000

heap

page read and write

1B8D0000

trusted library allocation

page read and write

EE0000

unkown

page readonly

21847000

heap

page read and write

27A70000

heap

page read and write

1117000

unkown

page readonly

2187D000

heap

page read and write

61ED4000

direct allocation

page readonly

21857000

heap

page read and write

2187D000

heap

page read and write

21874000

heap

page read and write

1AFBF000

stack

page read and write

121D000

stack

page read and write

1403000

heap

page read and write

21857000

heap

page read and write

21841000

heap

page read and write

1B3BE000

stack

page read and write

2185A000

heap

page read and write

2186A000

heap

page read and write

61ECD000

direct allocation

page readonly

2186F000

heap

page read and write

1648000

heap

page read and write

1B0FF000

stack

page read and write

279E0000

trusted library allocation

page read and write

1B7D1000

heap

page read and write

F28000

unkown

page read and write

2E5A0000

heap

page read and write

E3B000

stack

page read and write

EFC000

unkown

page readonly

27A7C000

heap

page read and write

1213000

stack

page read and write

12F7000

heap

page read and write

2186F000

heap

page read and write

2187D000

heap

page read and write

1381000

heap

page read and write

21853000

heap

page read and write

61ECC000

direct allocation

page read and write

12F5000

heap

page read and write

278B0000

heap

page read and write

218D0000

heap

page read and write

21858000

heap

page read and write

1B13E000

stack

page read and write

2186A000

heap

page read and write

21876000

heap

page read and write

21874000

heap

page read and write

1B75E000

stack

page read and write

218D8000

heap

page read and write

21860000

heap

page read and write

6C570000

unkown

page readonly

131A000

heap

page read and write

15B0000

heap

page read and write

21857000

heap

page read and write

2187D000

heap

page read and write

21846000

heap

page read and write

21860000

heap

page read and write

6C4D0000

unkown

page readonly

2187D000

heap

page read and write

27A78000

heap

page read and write

1310000

heap

page read and write

F04000

unkown

page write copy

1B23F000

stack

page read and write

144E000

stack

page read and write

21857000

heap

page read and write

2185D000

heap

page read and write

E90000

heap

page read and write

2187D000

heap

page read and write

2194E000

heap

page read and write

21860000

heap

page read and write

1B27E000

stack

page read and write

6C571000

unkown

page execute read

21857000

heap

page read and write

2EAB0000

heap

page read and write

21853000

heap

page read and write

61EB4000

direct allocation

page read and write

1B8DC000

heap

page read and write

2187D000

heap

page read and write

174F000

stack

page read and write

2187D000

heap

page read and write

6C4D1000

unkown

page execute read

154E000

stack

page read and write

2187D000

heap

page read and write

21860000

heap

page read and write

1AFFE000

stack

page read and write

13F0000

heap

page read and write

1105000

unkown

page read and write

164C000

heap

page read and write

6C750000

unkown

page read and write

21860000

heap

page read and write

1117000

unkown

page readonly

164C000

heap

page read and write

2187A000

heap

page read and write

27A84000

heap

page read and write

2187D000

heap

page read and write

1B37F000

stack

page read and write

2187D000

heap

page read and write

61ED0000

direct allocation

page read and write

102A000

unkown

page read and write

27A10000

heap

page read and write

140A000

heap

page read and write

6C74F000

unkown

page write copy

21857000

heap

page read and write

21860000

heap

page read and write

21853000

heap

page read and write

61E00000

direct allocation

page execute and read and write

278D0000

heap

page read and write

61EB7000

direct allocation

page readonly

21840000

heap

page read and write

21847000

heap

page read and write

278F0000

heap

page read and write

27931000

heap

page read and write

12F7000

heap

page read and write

2187D000

heap

page read and write

1B4BE000

stack

page read and write

EA0000

heap

page read and write

21874000

heap

page read and write

1B60C000

stack

page read and write

EE0000

unkown

page readonly

13D0000

heap

page read and write

21857000

heap

page read and write

21860000

heap

page read and write

218D1000

heap

page read and write

1365000

heap

page read and write

EFC000

unkown

page readonly

21859000

heap

page read and write

1B65E000

stack

page read and write

6C562000

unkown

page readonly

61ED3000

direct allocation

page read and write

1640000

heap

page read and write

218D8000

heap

page read and write

21857000

heap

page read and write

6C74E000

unkown

page read and write

F86000

unkown

page read and write

61E01000

direct allocation

page execute read

21874000

heap

page read and write

13F7000

heap

page read and write

12F0000

heap

page read and write

21846000

heap

page read and write

21860000

heap

page read and write

21856000

heap

page read and write

21854000

heap

page read and write

6C54D000

unkown

page readonly

6C55E000

unkown

page read and write

F04000

unkown

page write copy

1B50D000

stack

page read and write

2186F000

heap

page read and write

6C755000

unkown

page readonly

6C70F000

unkown

page readonly

1B7C0000

heap

page read and write

There are 152 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
i3NmF0obCm.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporti3NmF0obCm.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
i3NmF0obCm.exe