Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_20.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.5086172286110155
Filename:	LisectAVT_2403002A_20.exe
Filesize:	234500
MD5:	c4d3655d5c8b473292c064ea6392e59e
SHA1:	7dff8774fabb5e6ef3a9a695d89e8c369d2cd6f4
SHA256:	b3a927c1fdd44c0c8f0c819cb62ca6e0fa8362b9fb7d5baa10cd5348e4a20bde
SHA512:	56ba118a982a9d18a386931f1ce5d13339acee83fb81900b6cc48f845311b05bf756d58f969c1a61f307ba12a02d9bc5370bb7cf8c0c910a7fa6347f4a8d9148
SSDEEP:	3072:Hy/JcAzMcvZv2wjNHMk/54RNA5CvIjwRvOYSIxYL7fJSNyoBYTbLOoCAT7ht:HEcuMKv2wjRMNPA56x1T7IJSNfCZT7h
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..\#.[\#.[\#.[3U.[D#.[3U [(#.[3U![{#.[U[.[W#.[\#.[7#.[3U%[]#.[3U.[]#.[3U.[]#.[Rich\#.[........................PE..L......d...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Sample uses string decryption to hide its real strings	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to read the PEB	Anti Debugging
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses new MSVCR Dlls	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_c7b5203bb51c74a66cfecff0322c301d262e365b_1762b4af_22897c61-9cb0-4a6e-8669-723f8d33773a\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_c7b5203bb51c74a66cfecff0322c301d262e365b_1762b4af_22897c61-9cb0-4a6e-8669-723f8d33773a\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.7840849924563663
Encrypted:	false
Ssdeep:	96:MSCyNXtWsLyhqeLI7qLfHQXIDcQjc6EObQcENcw3UjU+HbHg/8BRTf3o8Fa9SAjk:/CaW2o0094ObQXkjJdzuiFMZ24IO8T
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Jul 25 20:51:37 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE.tmp.dmp
Category:	dropped
Dump:	WER6BE.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Jul 25 20:51:37 2024, 0x1205a4 type
Entropy:	2.57764770464237
Encrypted:	false
Ssdeep:	96:5k8ql1anLj6Uta61BGHPXExt+Qa0Tnelk/i7pvK+pQ7kB/bIQ291Loqx3QN7WIkp:BofPXG+QRLel8Op9NIV0q5QNPGb5GfO
Size:	23918
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER74C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER74C.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6961642400319263
Encrypted:	false
Ssdeep:	192:R6l7wVeJPjJ6gkoSk56YEIY1SU9NLmgmfqyObb9GpDP89bMJsfOEm:R6lXJ7J6gkjQ6YEnSU9NLmgmfqyObFMD
Size:	8398
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C.tmp.xml
Category:	dropped
Dump:	WER76C.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.497643293491694
Encrypted:	false
Ssdeep:	48:cvIwWl8zs2NJg77aI9ZjuWpW8VYFYm8M4JEQZFD+q8sACZI5kd:uIjfCI7TjP7VBJ3TZI5kd
Size:	4656
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421573146259613
Encrypted:	false
Ssdeep:	6144:zSvfpi6ceLP/9skLmb0OToWSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:+vloToW+EZMM6DFyX03w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_20.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5264
Target ID:	0
Parent PID:	1028
Name:	LisectAVT_2403002A_20.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_20.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_20.exe"
Size:	234500
MD5:	C4D3655D5C8B473292C064EA6392E59E
Time:	16:51:36
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2338816
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456

Details

Is windows:	true
Is dropped:	false
PID:	3872
Target ID:	4
Parent PID:	5264
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	16:51:37
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7a0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.172.128.26/f993692117a3fda2.php

Details

Name:	http://185.172.128.26/f993692117a3fda2.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_20.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://upx.sf.net

unknown