Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.905003406667077
Filename:	file.exe
Filesize:	5158776
MD5:	06e9439beabd1813ff13295adbba48ff
SHA1:	f70c1c806fcb2fbbd97d4c9ecf7c473b3dc957da
SHA256:	47eb2e1f94933fc6da9cf436804c0a303c539de3ce93c7dfaa6b427625447a22
SHA512:	3143051b25bce1e2a80dc11006398309d09308ae6542e0e20c1c3e95947ea798d176ea75c8a53265846a902b2d0f9e81dc315e1343ec7d5b7fd4e16d77d7d118
SSDEEP:	98304:a84BwyMWieDN4+F/8njOyiiqTdAGlucxG3:aAEwnjOy5qzlucE3
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........f...5...5...5...4...5...4...5...4...5Lc.5...5...4...5...4W..5...4...5...4...5...4...5...5...5...4...5...4...5...4T..5..05...

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Sample uses string decryption to hide its real strings	AV Detection
Searches for specific processes (likely to inject)	HIPS / PFW / Operating System Protection Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Security Software Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	System Time Discovery Security Software Discovery Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
One or more processes crash	System Summary
PE / OLE file has an invalid certificate	System Summary	Security Software Discovery File and Directory Discovery
PE file contains an invalid checksum	Data Obfuscation	Security Software Discovery
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API Security Software Discovery File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Security Software Discovery Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Security Software Discovery Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	Security Software Discovery File and Directory Discovery
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery Archive Collected Data
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_23ac2d3598194099bfea53d8620e685cbd9df63_2fa1aaae_46522aeb-fbd2-4ad7-8707-f1f3c121c621\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_23ac2d3598194099bfea53d8620e685cbd9df63_2fa1aaae_46522aeb-fbd2-4ad7-8707-f1f3c121c621\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.1831758355341229
Encrypted:	false
Ssdeep:	192:Pp56fGxBvSQvIPpw0YvK6NC03jRdZrKFayIzuiF7Z24IO8nZBu:Us5IRLYvK6HjUjIzuiF7Y4IO8P
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F85.tmp.dmp

Mini DuMP crash report, 15 streams, Wed Jul 3 14:50:15 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F85.tmp.dmp
Category:	dropped
Dump:	WER5F85.tmp.dmp.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Wed Jul 3 14:50:15 2024, 0x1205a4 type
Entropy:	1.8277239220974038
Encrypted:	false
Ssdeep:	768:OHnikT6HSmIR7W5FRgwy/9RVDw+Tu9JkIv:SRO57gP1u9Jx
Size:	187574
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6283.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6283.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6283.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6981652379830625
Encrypted:	false
Ssdeep:	192:R6l7wVeJLCn6o6Y2DemSU9jgmfBfUJlscfupr189bVUsf+G7nm:R6lXJu6o6YiSU9jgmfpUJlsKZVHf+9
Size:	8362
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62B3.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER62B3.tmp.xml
Category:	dropped
Dump:	WER62B3.tmp.xml.6.dr
ID:	dr_6
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.490284455717078
Encrypted:	false
Ssdeep:	48:cvIwWl8zsCJg77aI94vrWpW8VYtYm8M4JIjzFnh+q8bqRFTcWvd:uIjfQI7KC7VJJGh1TcWvd
Size:	4690
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.996617769952133
Encrypted:	true
Ssdeep:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
Size:	71954
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	3.144086598890895
Encrypted:	false
Ssdeep:	6:kKrHa9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DVDnLNkPlE99SNxAhUe/3
Size:	328
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4689181212615265
Encrypted:	false
Ssdeep:	6144:7zZfpi6ceLPx9skLmb0fqZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:3ZHtqZWOKnMM6bFp9j4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5316
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	5158776
MD5:	06E9439BEABD1813FF13295ADBBA48FF
Time:	10:49:55
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe00000
Modulesize:	5537792
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068

Details

Is windows:	true
Is dropped:	false
PID:	2032
Target ID:	6
Parent PID:	5316
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2068
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:50:15
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/

unknown

https://steamcommunity.com/profiles/76561199730044335

https://t.me/bu77un

149.154.167.99

https://116.202.180.70:5432/sqlt.dll4

unknown

https://nydus.battle.net/App/%s/setup/app

unknown

https://telemetry-in.battlenet.com.cn/datahttps://telemetry-in.battle.net/data

unknown

https://116.202.180.70:5432/

unknown

http://nydus.battle.net/App/%s/setup/error/%s

unknown

https://www.openssl.org/docs/faq.html

unknown

http://www.google.com/get/noto/

unknown

https://web.telegram.org

unknown

http://nydus.battle.net/geoip

unknown

https://116.202.180.70:5432/2

unknown

https://116.202.180.70:5432/dows

unknown

https://116.202.180.70:5432/1

unknown

https://116.202.180.70:5432/talV

unknown

https://bitwarden.com

unknown

http://upx.sf.net

unknown

https://116.202.180.70:5432

unknown

https://116.202.180.70:5432rss.exe

unknown

https://116.202.180.70:5432/sqlt.dllnamK.exe

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://t.me/bu77unguf_hMozilla/5.0

unknown

http://iir.blizzard.com:3724/submit/BNET_APP

unknown

https://telemetry-in.battlenet.com.cn/data

unknown

https://telemetry-in.battle.net/data

unknown

https://116.202.180.70:5432/T

unknown

https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll

unknown

http:///1.18.10.3141/Apps/Battle.net.agent.db

unknown

https://116.202.180.70:5432/ps;PATHEXT=.CO

unknown

http://iir.blizzard.com:3724/submit/BNET_APPUnknown

unknown

https://116.202.180.70:5432Content-Disposition:

unknown

http://scripts.sil.org/OFL

unknown

https://116.202.180.70:5432/sqlt.dll

unknown

http://nydus.battle.net/geoipX-Geoip-RegionX-Geoip-CountryUSCNSEASGGETd:

unknown

https://nydus.battle.net/App/%s/setup/appSelected

unknown

https://116.202.180.70/

unknown

https://116.202.180.70:5432/Y/h

unknown

There are 28 hidden URLs, click here to show them.

Domains

Name

Malicious

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

198.187.3.20.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

116.202.180.70

unknown

Germany

Details

IP:	116.202.180.70
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking