Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\QFDXInkpM8.exe

"C:\Users\user\Desktop\QFDXInkpM8.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5856
Target ID:	0
Parent PID:	2580
Name:	QFDXInkpM8.exe
Path:	C:\Users\user\Desktop\QFDXInkpM8.exe
Commandline:	"C:\Users\user\Desktop\QFDXInkpM8.exe"
Size:	4968448
MD5:	F993A688264EC59724AA279E0B93E42C
Time:	09:57:00
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	4968448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

IPs

Domain

Country

Malicious

77.91.77.81

unknown

Russian Federation

Details

IP:	77.91.77.81
TargetID:	255
Country:	Russian Federation
Countrycode:	RUS
ASN number:	42861
ASN name:	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

2C1000

unkown

page execute read

2C1000

unkown

page execute read

280000

heap

page read and write

19E000

stack

page read and write

2C0000

unkown

page readonly

2C0000

unkown

page readonly

BA0000

heap

page read and write

9D000

stack

page read and write

612000

unkown

page execute and write copy

612000

unkown

page execute and write copy

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QFDXInkpM8.exe

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQFDXInkpM8.exe

Processes

IPs

Memdumps

IOC Report
QFDXInkpM8.exe