Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

payment details.pdf.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.950676148320351
Filename:	payment details.pdf.exe
Filesize:	984064
MD5:	0f4b5fb26bf123aa8fd8e90add5770fc
SHA1:	8c9b1825d6ae3a7a9e8dc0a8a1dada05b8124720
SHA256:	c3a045823e045eb117eceefa8d34697c835fc969831e0f1d1401bea5edb8e596
SHA512:	9121102beedcf9e164450814339d5629c8dca899d11b51df0f74184b80eec48a09dde917a863087b3cdce8e4d33c4df89a23dc5fa79f9432e20a49b8b1770464
SSDEEP:	24576:M8YI5axhPU3Mvbb719Jy784CFRodKRDQbpEN:M8BqPU3Mvfh7a8JFRQbuN
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......f........... ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.pdf.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.pdf.exe.log
Category:	dropped
Dump:	payment details.pdf.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\payment details.pdf.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\payment details.pdf.exe

"C:\Users\user\Desktop\payment details.pdf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2848
Target ID:	0
Parent PID:	4084
Name:	payment details.pdf.exe
Path:	C:\Users\user\Desktop\payment details.pdf.exe
Commandline:	"C:\Users\user\Desktop\payment details.pdf.exe"
Size:	984064
MD5:	0F4B5FB26BF123AA8FD8E90ADD5770FC
Time:	11:48:09
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x820000
Modulesize:	1007616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\payment details.pdf.exe

"C:\Users\user\Desktop\payment details.pdf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4412
Target ID:	3
Parent PID:	2848
Name:	payment details.pdf.exe
Path:	C:\Users\user\Desktop\payment details.pdf.exe
Commandline:	"C:\Users\user\Desktop\payment details.pdf.exe"
Size:	984064
MD5:	0F4B5FB26BF123AA8FD8E90ADD5770FC
Time:	11:48:10
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x550000
Modulesize:	1007616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

BC0000

direct allocation

page read and write

53AE000

stack

page read and write

AD0000

heap

page read and write

C20000

heap

page read and write

4635000

trusted library allocation

page read and write

6DD000

stack

page read and write

2D70000

trusted library allocation

page execute and read and write

13C1000

direct allocation

page execute and read and write

5700000

trusted library section

page read and write

2C90000

trusted library allocation

page read and write

FDD000

trusted library allocation

page execute and read and write

EE0000

trusted library allocation

page read and write

2D40000

trusted library allocation

page read and write

2CD0000

trusted library allocation

page read and write

D20000

heap

page read and write

2D10000

heap

page read and write

DBE000

heap

page read and write

52E0000

heap

page read and write

6084000

heap

page read and write

1421000

trusted library allocation

page read and write

7F050000

trusted library allocation

page execute and read and write

FF0000

trusted library allocation

page read and write

1020000

trusted library allocation

page read and write

53B0000

trusted library allocation

page read and write

9AA000

stack

page read and write

ACE000

stack

page read and write

7E6E000

stack

page read and write

5710000

heap

page read and write

FED000

trusted library allocation

page execute and read and write

1239000

direct allocation

page execute and read and write

2D22000

trusted library allocation

page read and write

773D000

stack

page read and write

2CA0000

trusted library allocation

page read and write

1426000

trusted library allocation

page read and write

2D80000

heap

page execute and read and write

CF7000

stack

page read and write

FF2000

trusted library allocation

page read and write

2DF7000

trusted library allocation

page read and write

AE0000

heap

page read and write

100B000

trusted library allocation

page execute and read and write

52B0000

trusted library section

page readonly

2C00000

trusted library allocation

page read and write

604F000

stack

page read and write

4E8C000

stack

page read and write

FE0000

trusted library allocation

page read and write

822000

unkown

page readonly

13FB000

stack

page read and write

7150000

heap

page read and write

11BF000

stack

page read and write

5715000

heap

page read and write

7F6E000

stack

page read and write

2C40000

trusted library allocation

page read and write

E29000

heap

page read and write

5410000

trusted library section

page read and write

2CA5000

trusted library allocation

page read and write

1110000

direct allocation

page execute and read and write

52D0000

heap

page read and write

FE3000

trusted library allocation

page read and write

DB0000

heap

page read and write

1400000

trusted library allocation

page read and write

FD0000

trusted library allocation

page read and write

CB8000

heap

page read and write

D6E000

stack

page read and write

7640000

trusted library section

page read and write

2D30000

trusted library allocation

page execute and read and write

1080000

trusted library allocation

page execute and read and write

2D20000

trusted library allocation

page read and write

13BE000

stack

page read and write

53C0000

heap

page read and write

2CB0000

trusted library allocation

page read and write

DE4000

heap

page read and write

7E2E000

stack

page read and write

1440000

heap

page read and write

142D000

trusted library allocation

page read and write

A40000

heap

page read and write

2D26000

trusted library allocation

page read and write

52AB000

stack

page read and write

DF3000

heap

page read and write

FD3000

trusted library allocation

page execute and read and write

13DD000

direct allocation

page execute and read and write

5F4E000

stack

page read and write

10AF000

stack

page read and write

EF0000

heap

page read and write

FD4000

trusted library allocation

page read and write

2C50000

trusted library allocation

page read and write

10B0000

heap

page read and write

1002000

trusted library allocation

page read and write

DF5000

heap

page read and write

12BE000

stack

page read and write

7DC000

stack

page read and write

DB0000

heap

page read and write

2DE2000

trusted library allocation

page read and write

2C60000

trusted library allocation

page execute and read and write

1448000

heap

page read and write

2D91000

trusted library allocation

page read and write

DAE000

stack

page read and write

562D000

stack

page read and write

53D0000

trusted library allocation

page read and write

2BF0000

trusted library section

page read and write

3FF2000

trusted library allocation

page read and write

12AE000

direct allocation

page execute and read and write

532E000

stack

page read and write

3D99000

trusted library allocation

page read and write

1458000

direct allocation

page execute and read and write

581F000

stack

page read and write

CB0000

heap

page read and write

3D91000

trusted library allocation

page read and write

FAF000

stack

page read and write

52E3000

heap

page read and write

7C30000

heap

page read and write

4683000

trusted library allocation

page read and write

FF6000

trusted library allocation

page execute and read and write

1070000

heap

page read and write

123D000

direct allocation

page execute and read and write

FFA000

trusted library allocation

page execute and read and write

2DE4000

trusted library allocation

page read and write

476E000

trusted library allocation

page read and write

DD7000

heap

page read and write

10A0000

trusted library allocation

page read and write

6050000

heap

page read and write

45E7000

trusted library allocation

page read and write

5430000

heap

page execute and read and write

6060000

heap

page read and write

B6EE000

stack

page read and write

1007000

trusted library allocation

page execute and read and write

106E000

stack

page read and write

820000

unkown

page readonly

13D6000

direct allocation

page execute and read and write

A8E000

stack

page read and write

52C0000

heap

page read and write

D10000

heap

page read and write

A160000

trusted library allocation

page read and write

7852000

trusted library allocation

page read and write

2C70000

trusted library allocation

page read and write

141E000

trusted library allocation

page read and write

56F0000

trusted library allocation

page execute and read and write

56EE000

stack

page read and write

536E000

stack

page read and write

1090000

trusted library allocation

page read and write

There are 130 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
payment details.pdf.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpayment details.pdf.exe

Files

Processes

Memdumps

IOC Report
payment details.pdf.exe