Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

3mF4sIPmhE.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.488638446184253
Filename:	3mF4sIPmhE.exe
Filesize:	32488
MD5:	1f0400ea117f738244b05c52bfd2253a
SHA1:	49b1c8539ab963508164ec3dd6bb581bb61a15b5
SHA256:	941a13c363625534d3d5085313af453bc17bb5b71836af23dfb33cc4246aee92
SHA512:	b7250f3279c894b87432287d9144a090d233c3ad04d62d489874fd5044c8e98687015eede5cd80c69ce8a29fbf084e9206b1388799e4c3d2fee4f3227e2b807e
SSDEEP:	384:dY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZsq9+vnv9G:SL2s+tRyRpcnuTPX3EzX+2
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mO.f.................V..........~t... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation Disable or Modify Tools
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\3mF4sIPmhE.exe

"C:\Users\user\Desktop\3mF4sIPmhE.exe"

Details

Is windows:	false
Is dropped:	false
PID:	964
Target ID:	0
Parent PID:	4004
Name:	3mF4sIPmhE.exe
Path:	C:\Users\user\Desktop\3mF4sIPmhE.exe
Commandline:	"C:\Users\user\Desktop\3mF4sIPmhE.exe"
Size:	32488
MD5:	1F0400EA117F738244B05C52BFD2253A
Time:	05:59:44
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf70000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\3mF4sIPmhE.exe" "3mF4sIPmhE.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	3164
Target ID:	2
Parent PID:	964
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\3mF4sIPmhE.exe" "3mF4sIPmhE.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	05:59:51
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6860
Target ID:	3
Parent PID:	3164
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:59:51
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

troia23.duckdns.org

18.229.140.246

Details

Name:	troia23.duckdns.org
IP:	18.229.140.246
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

18.229.140.246

troia23.duckdns.org

United States

Details

IP:	18.229.140.246
TargetID:	0
Current Path:	C:\Users\user\Desktop\3mF4sIPmhE.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	troia23.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\bcb4c719d2ef301534574d61226c5663

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

3611000

trusted library allocation

page read and write

F72000

unkown

page readonly

5950000

unclassified section

page read and write

3275000

heap

page read and write

3299000

heap

page read and write

3251000

heap

page read and write

146F000

heap

page read and write

329F000

heap

page read and write

32F1000

heap

page read and write

32A2000

heap

page read and write

56D2000

heap

page read and write

32AA000

heap

page read and write

30EE000

stack

page read and write

328E000

heap

page read and write

329B000

heap

page read and write

194C000

stack

page read and write

326C000

heap

page read and write

56E0000

heap

page read and write

32A2000

heap

page read and write

3255000

heap

page read and write

1428000

trusted library allocation

page read and write

32D1000

heap

page read and write

32A3000

heap

page read and write

329F000

heap

page read and write

14D1000

heap

page read and write

326B000

heap

page read and write

57A0000

trusted library allocation

page read and write

32FE000

heap

page read and write

30FB000

stack

page read and write

326B000

heap

page read and write

32F9000

heap

page read and write

32A7000

heap

page read and write

58E9000

stack

page read and write

36C0000

heap

page read and write

32AB000

heap

page read and write

3245000

heap

page read and write

32FE000

heap

page read and write

32F0000

heap

page read and write

32B0000

heap

page read and write

32EF000

heap

page read and write

50E0000

heap

page read and write

7F940000

trusted library allocation

page execute and read and write

32CF000

heap

page read and write

56D5000

heap

page read and write

56DE000

heap

page read and write

1400000

heap

page read and write

56DE000

heap

page read and write

565F000

stack

page read and write

1960000

heap

page read and write

328E000

heap

page read and write

326B000

heap

page read and write

58AC000

stack

page read and write

3220000

heap

page read and write

353E000

stack

page read and write

3291000

heap

page read and write

32D1000

heap

page read and write

582C000

stack

page read and write

3257000

heap

page read and write

3255000

heap

page read and write

174A000

trusted library allocation

page execute and read and write

3668000

trusted library allocation

page read and write

329F000

heap

page read and write

329A000

heap

page read and write

177A000

trusted library allocation

page execute and read and write

56DA000

heap

page read and write

5730000

trusted library allocation

page execute and read and write

32AA000

heap

page read and write

1750000

trusted library allocation

page read and write

33FE000

unkown

page read and write

343D000

stack

page read and write

32B0000

heap

page read and write

324A000

heap

page read and write

3220000

heap

page read and write

32F8000

heap

page read and write

1767000

trusted library allocation

page execute and read and write

570E000

stack

page read and write

2DB5000

heap

page read and write

3238000

heap

page read and write

3235000

heap

page read and write

32AC000

heap

page read and write

324C000

heap

page read and write

329F000

heap

page read and write

4F90000

heap

page read and write

56DE000

heap

page read and write

3249000

heap

page read and write

1336000

stack

page read and write

326E000

heap

page read and write

5DB0000

heap

page read and write

328E000

heap

page read and write

32A6000

heap

page read and write

178B000

trusted library allocation

page execute and read and write

3259000

heap

page read and write

5E30000

heap

page read and write

3297000

heap

page read and write

32A3000

heap

page read and write

3236000

heap

page read and write

57E3000

heap

page read and write

3244000

heap

page read and write

2D0B000

stack

page read and write

32A6000

heap

page read and write

36C6000

heap

page read and write

35D0000

heap

page read and write

3259000

heap

page read and write

1966000

heap

page read and write

5D30000

trusted library allocation

page execute and read and write

3256000

heap

page read and write

329B000

heap

page read and write

328E000

heap

page read and write

32EF000

heap

page read and write

1420000

trusted library allocation

page read and write

3259000

heap

page read and write

1A6E000

stack

page read and write

56DE000

heap

page read and write

3246000

heap

page read and write

329D000

heap

page read and write

1B20000

heap

page execute and read and write

56E0000

heap

page read and write

1423000

trusted library allocation

page read and write

3673000

trusted library allocation

page read and write

329B000

heap

page read and write

F70000

unkown

page readonly

32A0000

heap

page read and write

5720000

trusted library allocation

page read and write

32EF000

heap

page read and write

32A2000

heap

page read and write

4611000

trusted library allocation

page read and write

3258000

heap

page read and write

1405000

heap

page read and write

3208000

heap

page read and write

3245000

heap

page read and write

3249000

heap

page read and write

57E0000

heap

page read and write

324A000

heap

page read and write

1787000

trusted library allocation

page execute and read and write

32FE000

heap

page read and write

3251000

heap

page read and write

14CD000

heap

page read and write

123A000

stack

page read and write

32A5000

heap

page read and write

3248000

heap

page read and write

3254000

heap

page read and write

3644000

trusted library allocation

page read and write

3295000

heap

page read and write

1370000

heap

page read and write

1742000

trusted library allocation

page execute and read and write

17A0000

heap

page read and write

32CF000

heap

page read and write

3650000

heap

page read and write

3238000

heap

page read and write

329A000

heap

page read and write

56D2000

heap

page read and write

3220000

heap

page read and write

2DB0000

heap

page read and write

3299000

heap

page read and write

3214000

heap

page read and write

57B0000

trusted library allocation

page read and write

3246000

heap

page read and write

3295000

heap

page read and write

2DFD000

unkown

page read and write

3291000

heap

page read and write

32AA000

heap

page read and write

56B0000

heap

page read and write

3259000

heap

page read and write

32F5000

heap

page read and write

3259000

heap

page read and write

326D000

heap

page read and write

3293000

heap

page read and write

143A000

heap

page read and write

3200000

heap

page read and write

1A70000

heap

page read and write

3275000

heap

page read and write

32FB000

heap

page read and write

1430000

heap

page read and write

14DB000

heap

page read and write

3275000

heap

page read and write

56DE000

heap

page read and write

1752000

trusted library allocation

page execute and read and write

30FE000

stack

page read and write

3245000

heap

page read and write

32F7000

heap

page read and write

2D90000

heap

page read and write

32F4000

heap

page read and write

1782000

trusted library allocation

page read and write

329F000

heap

page read and write

32FE000

heap

page read and write

3293000

heap

page read and write

57C0000

trusted library allocation

page execute and read and write

32D1000

heap

page read and write

3259000

heap

page read and write

3256000

heap

page read and write

3258000

heap

page read and write

18F0000

heap

page read and write

368D000

trusted library allocation

page read and write

56D1000

heap

page read and write

56DE000

heap

page read and write

32AA000

heap

page read and write

1380000

heap

page read and write

3258000

heap

page read and write

30F4000

stack

page read and write

143E000

heap

page read and write

2D70000

heap

page read and write

2D80000

heap

page read and write

1780000

trusted library allocation

page read and write

329B000

heap

page read and write

1772000

trusted library allocation

page execute and read and write

18EE000

stack

page read and write

3295000

heap

page read and write

3245000

heap

page read and write

32A1000

heap

page read and write

56E5000

heap

page read and write

175A000

trusted library allocation

page execute and read and write

32A2000

heap

page read and write

56D9000

heap

page read and write

32EF000

heap

page read and write

3298000

heap

page read and write

328E000

heap

page read and write

3211000

heap

page read and write

586B000

stack

page read and write

176A000

trusted library allocation

page execute and read and write

329A000

heap

page read and write

324A000

heap

page read and write

1A88000

trusted library allocation

page read and write

3275000

heap

page read and write

5DC0000

heap

page read and write

324C000

heap

page read and write

555E000

stack

page read and write

There are 216 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
3mF4sIPmhE.exe

Files

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report3mF4sIPmhE.exe

Files

Processes

Domains

IPs

Registry

Memdumps

IOC Report
3mF4sIPmhE.exe