Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VG0x1LZCFb.exe

"C:\Users\user\Desktop\VG0x1LZCFb.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3212
Target ID:	0
Parent PID:	4004
Name:	VG0x1LZCFb.exe
Path:	C:\Users\user\Desktop\VG0x1LZCFb.exe
Commandline:	"C:\Users\user\Desktop\VG0x1LZCFb.exe"
Size:	248832
MD5:	F0584EC3946ED12FACABAAE4789235B7
Time:	08:50:53
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x350000
Modulesize:	278528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\VG0x1LZCFb.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

expresscargoes.net

51.255.149.48

Details

Name:	expresscargoes.net
IP:	51.255.149.48
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.expresscargoes.net

unknown

Details

Name:	mail.expresscargoes.net
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

51.255.149.48

expresscargoes.net

France

Details

IP:	51.255.149.48
TargetID:	0
Current Path:	C:\Users\user\Desktop\VG0x1LZCFb.exe
Country:	France
Countrycode:	FRA
ASN number:	16276
ASN name:	OVHFR
Private:	false
Domain:	expresscargoes.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\VG0x1LZCFb.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VG0x1LZCFb_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

27C4000

trusted library allocation

page read and write

352000

unkown

page readonly

27A1000

trusted library allocation

page read and write

BA3000

heap

page read and write

A9B000

trusted library allocation

page execute and read and write

6300000

trusted library allocation

page execute and read and write

27D7000

trusted library allocation

page read and write

6324000

trusted library allocation

page read and write

67BD000

stack

page read and write

8BE000

stack

page read and write

4C30000

heap

page read and write

A92000

trusted library allocation

page read and write

A86000

trusted library allocation

page execute and read and write

6450000

trusted library allocation

page read and write

51DD000

stack

page read and write

BA5000

heap

page read and write

A97000

trusted library allocation

page execute and read and write

A64000

trusted library allocation

page read and write

CBE000

stack

page read and write

6310000

trusted library allocation

page read and write

278F000

trusted library allocation

page read and write

B3E000

heap

page read and write

A80000

trusted library allocation

page read and write

CC0000

heap

page read and write

2786000

trusted library allocation

page read and write

4C20000

heap

page read and write

2862000

trusted library allocation

page read and write

2611000

trusted library allocation

page read and write

5B6F000

heap

page read and write

A63000

trusted library allocation

page execute and read and write

6440000

heap

page read and write

61FE000

stack

page read and write

619E000

stack

page read and write

3751000

trusted library allocation

page read and write

4E5C000

stack

page read and write

ACA000

heap

page read and write

DA0000

heap

page read and write

6320000

trusted library allocation

page read and write

4BEC000

stack

page read and write

2751000

trusted library allocation

page read and write

390000

unkown

page readonly

790000

heap

page read and write

280C000

trusted library allocation

page read and write

A5E000

stack

page read and write

AF5000

heap

page read and write

4D50000

heap

page execute and read and write

6AC0000

heap

page read and write

907000

heap

page read and write

6A10000

trusted library allocation

page execute and read and write

350000

unkown

page readonly

2640000

heap

page read and write

67C0000

trusted library allocation

page read and write

ACE000

heap

page read and write

283A000

trusted library allocation

page read and write

6319000

trusted library allocation

page read and write

B02000

heap

page read and write

62FE000

stack

page read and write

D70000

trusted library allocation

page execute and read and write

3779000

trusted library allocation

page read and write

738000

stack

page read and write

900000

heap

page read and write

63FE000

stack

page read and write

663E000

stack

page read and write

2856000

trusted library allocation

page read and write

B7F000

heap

page read and write

DA7000

heap

page read and write

67E0000

trusted library allocation

page read and write

B56000

heap

page read and write

5B4E000

heap

page read and write

2558000

trusted library allocation

page read and write

A70000

trusted library allocation

page read and write

67F0000

trusted library allocation

page execute and read and write

6820000

trusted library allocation

page read and write

D80000

trusted library allocation

page read and write

609E000

stack

page read and write

274F000

stack

page read and write

2630000

trusted library allocation

page read and write

A82000

trusted library allocation

page read and write

2602000

trusted library allocation

page read and write

2897000

trusted library allocation

page read and write

27CC000

trusted library allocation

page read and write

A95000

trusted library allocation

page execute and read and write

A7D000

trusted library allocation

page execute and read and write

260E000

trusted library allocation

page read and write

63A000

stack

page read and write

4F9F000

stack

page read and write

37B9000

trusted library allocation

page read and write

37E2000

trusted library allocation

page read and write

25F0000

trusted library allocation

page read and write

A6D000

trusted library allocation

page execute and read and write

27C0000

trusted library allocation

page read and write

2622000

trusted library allocation

page read and write

A60000

trusted library allocation

page read and write

4C34000

heap

page read and write

A8A000

trusted library allocation

page execute and read and write

66BE000

stack

page read and write

4D40000

trusted library allocation

page read and write

D2E000

stack

page read and write

5B0C000

heap

page read and write

870000

heap

page read and write

2819000

trusted library allocation

page read and write

25FB000

trusted library allocation

page read and write

955000

heap

page read and write

484E000

stack

page read and write

65FE000

stack

page read and write

67D0000

trusted library allocation

page execute and read and write

25FE000

trusted library allocation

page read and write

950000

heap

page read and write

CE0000

heap

page execute and read and write

D6C000

stack

page read and write

AB0000

trusted library allocation

page read and write

AC0000

heap

page read and write

8FE000

stack

page read and write

643E000

stack

page read and write

261D000

trusted library allocation

page read and write

B71000

heap

page read and write

67EB000

trusted library allocation

page read and write

940000

trusted library allocation

page read and write

6457000

trusted library allocation

page read and write

279D000

trusted library allocation

page read and write

636D000

stack

page read and write

4C40000

heap

page read and write

6830000

heap

page read and write

B00000

heap

page read and write

5DDE000

stack

page read and write

2616000

trusted library allocation

page read and write

667E000

stack

page read and write

7F5E0000

trusted library allocation

page execute and read and write

27C2000

trusted library allocation

page read and write

D90000

trusted library allocation

page read and write

4B90000

trusted library allocation

page read and write

5AA0000

heap

page read and write

4E9E000

stack

page read and write

There are 123 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VG0x1LZCFb.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVG0x1LZCFb.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
VG0x1LZCFb.exe