Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_19.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.914654400470132
Filename:	LisectAVT_2403002A_19.exe
Filesize:	1353734
MD5:	afb12495b0c9be1ad8acc1709ff5eb1e
SHA1:	425cdd67c93562d960e4f86d9dab43b735bf84e8
SHA256:	8c385cb00ccafc20b0e9112948b85590cc3979c489f3902918f978acd6aa508b
SHA512:	04c93c61b68ee781010dbb913b364e11101bd096f76df001474af226e467b1bf2f84774d1188a50eedf78f9334a64e9c34de4f33ef2884e36f9a6e255e8b5f08
SSDEEP:	24576:5vUYwEInDMNjcqkUg4V1NhGMlBXkZubMS:hxInghcqko5hGMlBZL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.a.................l...8........... ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to modify the execution of threads in other processes
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_19.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_19.exe.log
Category:	dropped
Dump:	LisectAVT_2403002A_19.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_19.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3387892510515025
Encrypted:	false
Ssdeep:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
Size:	1314
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_19.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3924
Target ID:	0
Parent PID:	4004
Name:	LisectAVT_2403002A_19.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_19.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"
Size:	1353734
MD5:	AFB12495B0C9BE1AD8ACC1709FF5EB1E
Time:	17:06:31
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	1384448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\LisectAVT_2403002A_19.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2708
Target ID:	3
Parent PID:	3924
Name:	LisectAVT_2403002A_19.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_19.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_19.exe"
Size:	1353734
MD5:	AFB12495B0C9BE1AD8ACC1709FF5EB1E
Time:	17:06:33
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe40000
Modulesize:	1384448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://127.0.0.1:HTTP/1.1

unknown

http://www.phapsoftware.hotgoo.net)C

unknown

http://www.phapsoftware.hotgoo.net:

unknown

http://DynDns.comDynDNS

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://www.phapsoftware.hotgoo.net

unknown

https://api.ipify.org%4

unknown

http://KMcLhe.com

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://b6QQBzu4tg.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

http://b6QQBzu4tg.comt-

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

smtp.agceram.com

unknown

Details

Name:	smtp.agceram.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

3331000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

25B1000

trusted library allocation

page read and write

35B1000

trusted library allocation

page read and write

5E1E000

stack

page read and write

50BB000

stack

page read and write

5190000

trusted library allocation

page read and write

1950000

heap

page read and write

5B2E000

stack

page read and write

4F3E000

stack

page read and write

8A7000

heap

page read and write

400000

remote allocation

page execute and read and write

4AD1000

trusted library allocation

page read and write

4359000

trusted library allocation

page read and write

7780000

trusted library section

page read and write

6F5000

stack

page read and write

1239000

stack

page read and write

50C9000

trusted library allocation

page read and write

810000

trusted library allocation

page read and write

71FE000

stack

page read and write

7FC30000

trusted library allocation

page execute and read and write

1778000

trusted library allocation

page read and write

5200000

trusted library allocation

page read and write

4CB0000

trusted library allocation

page read and write

1797000

trusted library allocation

page execute and read and write

7B1E000

stack

page read and write

840000

trusted library allocation

page read and write

15BC000

heap

page read and write

E500000

heap

page read and write

1430000

trusted library allocation

page read and write

579D000

trusted library allocation

page read and write

1D0000

unkown

page readonly

4B30000

trusted library allocation

page read and write

3736000

trusted library allocation

page read and write

4B80000

heap

page read and write

31EB000

trusted library allocation

page read and write

51C0000

trusted library allocation

page read and write

820000

trusted library allocation

page read and write

578A000

trusted library allocation

page read and write

77C0000

trusted library allocation

page execute and read and write

24A0000

heap

page read and write

18AE000

stack

page read and write

3877000

trusted library allocation

page read and write

8B5000

heap

page read and write

1795000

trusted library allocation

page execute and read and write

3118000

trusted library allocation

page read and write

5770000

trusted library allocation

page read and write

4B90000

trusted library allocation

page execute and read and write

4ADD000

trusted library allocation

page read and write

51B0000

trusted library allocation

page execute and read and write

1850000

trusted library allocation

page read and write

5AD0000

heap

page execute and read and write

7A0000

heap

page read and write

67BD000

stack

page read and write

E4FD000

stack

page read and write

45FD000

stack

page read and write

6D7E000

stack

page read and write

5180000

heap

page read and write

C3E000

stack

page read and write

6B80000

heap

page read and write

332E000

stack

page read and write

3740000

trusted library allocation

page read and write

1443000

trusted library allocation

page execute and read and write

4C9E000

stack

page read and write

1420000

heap

page read and write

1940000

trusted library allocation

page execute and read and write

577B000

trusted library allocation

page read and write

857000

heap

page read and write

31C000

unkown

page readonly

7140000

trusted library allocation

page read and write

18F0000

trusted library allocation

page read and write

2450000

heap

page execute and read and write

5A00000

heap

page read and write

58A0000

heap

page read and write

6B7E000

stack

page read and write

2CC000

unkown

page readonly

5830000

heap

page read and write

51E0000

trusted library allocation

page execute and read and write

1440000

trusted library allocation

page read and write

8B2000

heap

page read and write

6BB1000

heap

page read and write

865000

trusted library allocation

page execute and read and write

463D000

stack

page read and write

1667000

heap

page read and write

59CE000

stack

page read and write

1900000

trusted library allocation

page read and write

45B0000

trusted library allocation

page read and write

830000

trusted library allocation

page read and write

777E000

stack

page read and write

4CD0000

heap

page read and write

4ACE000

trusted library allocation

page read and write

7060000

trusted library allocation

page execute and read and write

83D000

trusted library allocation

page execute and read and write

58A4000

heap

page read and write

5A24000

heap

page read and write

50E0000

heap

page read and write

70BE000

stack

page read and write

1602000

heap

page read and write

1D2000

unkown

page readonly

80E000

stack

page read and write

59F0000

heap

page read and write

1770000

trusted library allocation

page read and write

6DBE000

stack

page read and write

581F000

heap

page read and write

6650000

trusted library allocation

page execute and read and write

87E000

heap

page read and write

2DF000

unkown

page readonly

6E9F000

stack

page read and write

374C000

trusted library allocation

page read and write

6B8D000

heap

page read and write

31E0000

trusted library allocation

page read and write

3210000

trusted library allocation

page read and write

1444000

trusted library allocation

page read and write

6B6E000

heap

page read and write

70E0000

trusted library allocation

page execute and read and write

E6FE000

stack

page read and write

66BC000

stack

page read and write

51D0000

trusted library allocation

page execute and read and write

6660000

trusted library allocation

page execute and read and write

1930000

heap

page read and write

5AE0000

heap

page read and write

1786000

trusted library allocation

page execute and read and write

16C0000

trusted library allocation

page execute and read and write

1740000

trusted library allocation

page read and write

57C0000

heap

page read and write

59BD000

stack

page read and write

3220000

heap

page read and write

16B0000

heap

page read and write

179B000

trusted library allocation

page execute and read and write

77E000

stack

page read and write

1580000

heap

page read and write

850000

heap

page read and write

57D1000

heap

page read and write

86B000

trusted library allocation

page execute and read and write

4A90000

trusted library allocation

page read and write

50F0000

trusted library allocation

page read and write

15BA000

heap

page read and write

6FDF000

stack

page read and write

4AD6000

trusted library allocation

page read and write

7130000

trusted library allocation

page read and write

17FE000

stack

page read and write

6EDE000

stack

page read and write

2CA000

unkown

page readonly

6EBC000

stack

page read and write

31F0000

heap

page execute and read and write

4BA1000

trusted library allocation

page read and write

7980000

trusted library section

page read and write

51A0000

trusted library allocation

page read and write

373A000

trusted library allocation

page read and write

1910000

trusted library allocation

page execute and read and write

542E000

stack

page read and write

50D0000

trusted library section

page readonly

7B20000

trusted library allocation

page read and write

7EFF0000

trusted library allocation

page execute and read and write

1840000

trusted library allocation

page execute and read and write

7262000

trusted library allocation

page read and write

7050000

trusted library allocation

page read and write

870000

heap

page read and write

6D5F000

stack

page read and write

145D000

trusted library allocation

page execute and read and write

5B30000

trusted library allocation

page execute and read and write

13DE000

stack

page read and write

70FE000

stack

page read and write

82D000

trusted library allocation

page execute and read and write

25AE000

stack

page read and write

1920000

trusted library allocation

page execute and read and write

4CE0000

trusted library allocation

page read and write

3B9000

stack

page read and write

6ABE000

stack

page read and write

249B000

stack

page read and write

57C3000

heap

page read and write

4AF0000

trusted library allocation

page read and write

1630000

heap

page read and write

15AB000

heap

page read and write

4E90000

heap

page execute and read and write

94F000

heap

page read and write

31D0000

trusted library allocation

page read and write

157E000

stack

page read and write

4B00000

trusted library allocation

page read and write

1750000

trusted library allocation

page execute and read and write

4CC0000

trusted library allocation

page read and write

36C6000

trusted library allocation

page read and write

51F0000

trusted library allocation

page read and write

6A7D000

stack

page read and write

5782000

trusted library allocation

page read and write

31EE000

trusted library allocation

page read and write

B3F000

stack

page read and write

243E000

stack

page read and write

650E000

stack

page read and write

3200000

trusted library allocation

page read and write

59E5000

heap

page read and write

1748000

trusted library allocation

page read and write

1780000

trusted library allocation

page read and write

1337000

stack

page read and write

577E000

trusted library allocation

page read and write

94B000

heap

page read and write

70F0000

trusted library allocation

page execute and read and write

5791000

trusted library allocation

page read and write

59C0000

trusted library allocation

page execute and read and write

5970000

trusted library allocation

page read and write

1790000

trusted library allocation

page read and write

374E000

trusted library allocation

page read and write

1860000

heap

page read and write

842000

trusted library allocation

page read and write

862000

trusted library allocation

page read and write

4B20000

trusted library allocation

page read and write

178A000

trusted library allocation

page execute and read and write

7C0000

heap

page read and write

5796000

trusted library allocation

page read and write

31D9000

trusted library allocation

page read and write

4398000

trusted library allocation

page read and write

2440000

trusted library allocation

page execute and read and write

1427000

heap

page read and write

2DC000

unkown

page readonly

6B60000

heap

page read and write

846000

trusted library allocation

page execute and read and write

5980000

trusted library allocation

page read and write

474C000

stack

page read and write

1460000

heap

page read and write

773F000

stack

page read and write

867000

trusted library allocation

page execute and read and write

50C0000

trusted library allocation

page read and write

6D9E000

stack

page read and write

1648000

heap

page read and write

31B0000

trusted library allocation

page read and write

3718000

trusted library allocation

page read and write

1792000

trusted library allocation

page read and write

144D000

trusted library allocation

page execute and read and write

183C000

stack

page read and write

84A000

trusted library allocation

page execute and read and write

371B000

trusted library allocation

page read and write

59D0000

trusted library allocation

page read and write

1588000

heap

page read and write

1680000

trusted library allocation

page read and write

4AA0000

trusted library allocation

page read and write

57E2000

heap

page read and write

17B0000

trusted library allocation

page read and write

70C0000

trusted library section

page read and write

5B40000

trusted library allocation

page execute and read and write

878000

heap

page read and write

1390000

heap

page read and write

4B13000

heap

page read and write

6BBC000

heap

page read and write

730000

heap

page read and write

1450000

trusted library allocation

page read and write

1782000

trusted library allocation

page read and write

6AFE000

stack

page read and write

823000

trusted library allocation

page execute and read and write

AFFC000

trusted library allocation

page read and write

13E0000

heap

page read and write

36CC000

trusted library allocation

page read and write

578E000

trusted library allocation

page read and write

1960000

trusted library allocation

page read and write

4AB0000

trusted library allocation

page read and write

59E0000

heap

page read and write

23F0000

trusted library allocation

page read and write

4331000

trusted library allocation

page read and write

4B10000

heap

page read and write

70BE000

stack

page read and write

720000

heap

page read and write

824000

trusted library allocation

page read and write

4B40000

trusted library allocation

page read and write

There are 252 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_19.exe

Files

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_19.exe

Files

Processes

URLs

Domains

Memdumps

IOC Report
LisectAVT_2403002A_19.exe