Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BANK LETTER INDICATION.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.963947151147331
Filename:	BANK LETTER INDICATION.exe
Filesize:	1210368
MD5:	b0fd67ec3db079fd398d7f2fa7ad45bc
SHA1:	a8bfe4c1fc745e35cde2acf1164c9ed92363df7d
SHA256:	89d5d25cd020213d6426f13296765683202542062cdcfb10b611d46a65d38d0f
SHA512:	bf0d480dc4b79a7c4e903741131ce59431bcc1acaf9f503c8e7f936e3fee56e3b1a0249d8764a638cb88444ea985c767f4ae0769362aed8568675ea248c16955
SSDEEP:	24576:BXrUP6Zdhmvcihyofx0xs+8I0I/yXSBHanjgFbosgA19o:BbUPf0ehysMBHanj4bt9o
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*d...............0......f......z/... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to bypass UAC (CMSTPLUA)	Privilege Escalation	Bypass User Account Control Access Token Manipulation
Detected Remcos RAT	Remote Access Functionality	Remote Access Software
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to steal Chrome passwords or cookies	Stealing of Sensitive Information	OS Credential Dumping Account Discovery System Owner/User Discovery
Contains functionality to steal Firefox passwords or cookies	Stealing of Sensitive Information	Access Token Manipulation Credentials In Files System Time Discovery
Contains functionalty to change the wallpaper	Spam, unwanted Advertisements and Ransom Demands	Defacement
Delayed program exit found	Malware Analysis System Evasion	Access Token Manipulation Process Discovery Ingress Tool Transfer
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to download and launch executables	Persistence and Installation Behavior	Access Token Manipulation Process Discovery Ingress Tool Transfer
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to enumerate running services	Malware Analysis System Evasion	System Service Discovery
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Command and Scripting Interpreter Access Token Manipulation Account Discovery System Owner/User Discovery
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Process Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Windows Service Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to start windows services	Boot Survival	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK LETTER INDICATION.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK LETTER INDICATION.exe.log
Category:	dropped
Dump:	BANK LETTER INDICATION.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\BANK LETTER INDICATION.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BANK LETTER INDICATION.exe

"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6988
Target ID:	0
Parent PID:	4056
Name:	BANK LETTER INDICATION.exe
Path:	C:\Users\user\Desktop\BANK LETTER INDICATION.exe
Commandline:	"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
Size:	1210368
MD5:	B0FD67EC3DB079FD398D7F2FA7AD45BC
Time:	11:51:23
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa20000
Modulesize:	1236992
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\BANK LETTER INDICATION.exe

"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3212
Target ID:	3
Parent PID:	6988
Name:	BANK LETTER INDICATION.exe
Path:	C:\Users\user\Desktop\BANK LETTER INDICATION.exe
Commandline:	"C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
Size:	1210368
MD5:	B0FD67EC3DB079FD398D7F2FA7AD45BC
Time:	11:51:25
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x890000
Modulesize:	1236992
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1032
Target ID:	4
Parent PID:	3212
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	"c:\program files (x86)\internet explorer\iexplore.exe"
Size:	828368
MD5:	6F0F06D6AB125A99E43335427066A4A1
Time:	11:51:25
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	835584
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

192.3.64.149

Details

Name:	192.3.64.149
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\BANK LETTER INDICATION.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://geoplugin.net/json.gp

unknown

http://geoplugin.net/json.gp/C

unknown

Details

Name:	http://geoplugin.net/json.gp/C
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\BANK LETTER INDICATION.exe
Source:	BANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, BANK LETTER INDICATION.exe, 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-7Q1GRN

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-7Q1GRN

Inj

Memdumps

Base Address

Regiontype

Protect

Malicious

3EF9000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

3154000

heap

page read and write

ED0000

heap

page read and write

2CD0000

trusted library allocation

page read and write

2CBE000

trusted library allocation

page read and write

59FE000

stack

page read and write

2E96000

trusted library allocation

page read and write

31D0000

heap

page read and write

2CF0000

trusted library allocation

page execute and read and write

1130000

trusted library allocation

page read and write

1090000

heap

page read and write

2C5E000

stack

page read and write

1100000

trusted library allocation

page read and write

4FEB000

stack

page read and write

2D70000

heap

page read and write

2ED5000

trusted library allocation

page read and write

5380000

heap

page execute and read and write

5580000

heap

page read and write

EF7000

stack

page read and write

553E000

stack

page read and write

4C2E000

stack

page read and write

2BF7000

trusted library allocation

page execute and read and write

2E70000

trusted library allocation

page read and write

478000

remote allocation

page execute and read and write

2DF0000

heap

page read and write

1231000

heap

page read and write

2F3C000

heap

page read and write

6EDF1000

unkown

page execute read

53B0000

trusted library allocation

page read and write

1132000

trusted library allocation

page read and write

7B40000

trusted library section

page read and write

2F45000

heap

page read and write

28BA000

stack

page read and write

7260000

heap

page read and write

2F28000

heap

page read and write

BD9000

stack

page read and write

2C10000

trusted library allocation

page read and write

4B2E000

stack

page read and write

6EDF0000

unkown

page readonly

10B7000

heap

page read and write

6160000

heap

page read and write

2BF2000

trusted library allocation

page read and write

1181000

heap

page read and write

2F41000

heap

page read and write

2FD0000

unclassified section

page execute and read and write

2A4F000

stack

page read and write

2C02000

system

page execute and read and write

2EE0000

heap

page execute and read and write

2F4A000

heap

page read and write

2F62000

heap

page read and write

5560000

heap

page read and write

7FDE000

stack

page read and write

133F000

stack

page read and write

5350000

trusted library allocation

page read and write

B44000

unkown

page readonly

1123000

trusted library allocation

page read and write

41F7000

trusted library allocation

page read and write

577E000

stack

page read and write

D5C000

stack

page read and write

78F0000

trusted library allocation

page execute and read and write

2CD8000

trusted library allocation

page read and write

5570000

heap

page read and write

54F0000

heap

page read and write

F40000

heap

page read and write

33D0000

heap

page read and write

4AEF000

stack

page read and write

7C9E000

stack

page read and write

33D5000

heap

page read and write

2D24000

system

page execute and read and write

1110000

trusted library allocation

page read and write

F10000

heap

page read and write

6170000

heap

page read and write

1136000

trusted library allocation

page execute and read and write

2E60000

trusted library allocation

page read and write

3160000

heap

page read and write

2E9D000

trusted library allocation

page read and write

793B000

heap

page read and write

2CC0000

trusted library allocation

page read and write

47E3000

trusted library allocation

page read and write

2ED0000

trusted library allocation

page read and write

33BE000

stack

page read and write

2F45000

heap

page read and write

9E7E000

trusted library allocation

page read and write

5A80000

trusted library allocation

page read and write

1176000

heap

page read and write

2F20000

heap

page read and write

53C0000

trusted library allocation

page execute and read and write

587E000

stack

page read and write

1020000

heap

page read and write

113A000

trusted library allocation

page execute and read and write

2F6A000

trusted library allocation

page read and write

7B3E000

stack

page read and write

2D00000

heap

page read and write

114E000

heap

page read and write

2E50000

trusted library allocation

page execute and read and write

3150000

heap

page read and write

4795000

trusted library allocation

page read and write

54F3000

heap

page read and write

A20000

unkown

page readonly

7DDE000

stack

page read and write

107E000

stack

page read and write

A1A0000

trusted library section

page read and write

2C00000

system

page execute and read and write

1113000

trusted library allocation

page execute and read and write

53B2000

trusted library allocation

page read and write

4747000

trusted library allocation

page read and write

7FD10000

trusted library allocation

page execute and read and write

2F56000

trusted library allocation

page read and write

3EF1000

trusted library allocation

page read and write

10E0000

heap

page read and write

10B0000

heap

page read and write

2BF0000

trusted library allocation

page read and write

2F62000

heap

page read and write

2F49000

heap

page read and write

1184000

heap

page read and write

2F52000

trusted library allocation

page read and write

2F43000

heap

page read and write

7CA0000

trusted library section

page read and write

111D000

trusted library allocation

page execute and read and write

7B9E000

stack

page read and write

2BFB000

trusted library allocation

page execute and read and write

ECE000

stack

page read and write

5540000

trusted library section

page readonly

54DB000

stack

page read and write

31E0000

heap

page read and write

59BE000

stack

page read and write

30F2000

unclassified section

page execute and read and write

1030000

heap

page read and write

144E000

stack

page read and write

2A50000

heap

page read and write

1168000

heap

page read and write

1120000

trusted library allocation

page read and write

5470000

trusted library allocation

page read and write

120C000

heap

page read and write

2EC0000

trusted library allocation

page read and write

2E91000

trusted library allocation

page read and write

615E000

stack

page read and write

2C70000

trusted library allocation

page read and write

1204000

heap

page read and write

5330000

trusted library allocation

page read and write

2F45000

heap

page read and write

2C60000

trusted library section

page read and write

3140000

heap

page read and write

2F46000

heap

page read and write

5A90000

trusted library allocation

page read and write

1114000

trusted library allocation

page read and write

2E8E000

trusted library allocation

page read and write

2F6C000

trusted library allocation

page read and write

5575000

heap

page read and write

2E4B000

stack

page read and write

105E000

stack

page read and write

1340000

heap

page read and write

11E7000

heap

page read and write

2E0E000

stack

page read and write

10BE000

stack

page read and write

2D60000

heap

page readonly

6EE0D000

unkown

page read and write

C5C000

stack

page read and write

1148000

heap

page read and write

474000

remote allocation

page execute and read and write

6EE0F000

unkown

page readonly

1140000

heap

page read and write

5550000

heap

page read and write

112D000

trusted library allocation

page execute and read and write

58BE000

stack

page read and write

6EE06000

unkown

page readonly

7900000

heap

page read and write

2CB0000

trusted library allocation

page read and write

A22000

unkown

page readonly

2F42000

heap

page read and write

101F000

stack

page read and write

54E0000

trusted library allocation

page execute and read and write

29B9000

stack

page read and write

10E8000

heap

page read and write

DB0000

heap

page read and write

53B6000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

2D50000

heap

page read and write

7A3E000

stack

page read and write

2EF1000

trusted library allocation

page read and write

53A0000

heap

page read and write

There are 172 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BANK LETTER INDICATION.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBANK LETTER INDICATION.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
BANK LETTER INDICATION.exe