Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

C:\ProgramData\AAKKKEBFCGDBGDGCFHCBGIIIEB

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\BAKFBKEHDBGHJJKFIEGDBKKFID

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\BFBGHDGCFHIDBGDGIIIEHIJDAF

SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6

dropped

C:\ProgramData\CBGCBGCAFIIECBFIDHIJ

ASCII text, with very long lines (1717), with CRLF line terminators

dropped

C:\ProgramData\CFCBKKKJJJKKEBGDAFIDAAAEHD

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\DHJKJKKK

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\EBAFHCBFHDHCAAKFHDGD

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\IJEGHJECFCFCBFIDBGCG

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\JEBKEHJJ

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

data

dropped

There are 14 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4540
Target ID:	1
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	401920
MD5:	5DD9C1FFC4A95D8F1636CE53A5D99997
Time:	19:03:10
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	421888
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1428
Target ID:	3
Parent PID:	4540
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	19:03:11
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x850000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4072
Target ID:	2
Parent PID:	4540
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:03:10
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://85.28.47.70cambino

http://85.28.47.70/c10a74a0c2f42c12/mozglue.dll

85.28.47.70

http://85.28.47.70/c10a74a0c2f42c12/softokn3.dll

85.28.47.70

http://85.28.47.70/c10a74a0c2f42c12/msvcp140.dll

85.28.47.70

http://85.28.47.70/744f169d372be841.php

85.28.47.70

http://85.28.47.70/c10a74a0c2f42c12/freebl3.dll

85.28.47.70

http://85.28.47.70/

85.28.47.70

http://85.28.47.70/c10a74a0c2f42c12/nss3.dll

85.28.47.70

http://85.28.47.70

unknown

http://85.28.47.70/c10a74a0c2f42c12/vcruntime140.dll

85.28.47.70

http://85.28.47.70/c10a74a0c2f42c12/sqlite3.dll

85.28.47.70

https://duckduckgo.com/chrome_newtab

unknown

http://85.28.47.70/744f169d372be841.phpA%

unknown

https://duckduckgo.com/ac/?q=

unknown

http://85.28.47.70/744f169d372be841.phpf%

unknown

http://85.28.47.70/744f169d372be841.php=&

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg

unknown

http://85.28.47.70/c10a74a0c2f42c12/sqlite3.dllF

unknown

http://85.28.47.70/c10a74a0c2f42c12/mozglue.dllz

unknown

http://85.28.47.70/x

unknown

http://85.28.47.70/744f169d372be841.phprum

unknown

http://85.28.47.70/744f169d372be841.phplegram

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://85.28.47.70/j

unknown

http://85.28.47.70/h

unknown

http://85.28.47.70/c10a74a0c2f42c12/msvcp140.dll.

unknown

http://www.sqlite.org/copyright.html.

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://85.28.47.70/F

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.

unknown

http://85.28.47.70/c10a74a0c2f42c12/softokn3.dll.

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://85.28.47.70/c10a74a0c2f42c12/msvcp140.dllX

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://85.28.47.70/744f169d372be841.phposition:

unknown

http://85.28.47.70/744f169d372be841.php3%

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://85.28.47.70DHIJDAK

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt

unknown

http://85.28.47.70/744f169d372be841.phpx%

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://85.28.47.70/744f169d372be841.php4

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3

unknown

https://support.mozilla.org

unknown

http://85.28.47.70;

unknown

http://85.28.47.70/744f169d372be841.php6&

unknown

http://85.28.47.70/744f169d372be841.php(

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://85.28.47.70/744f169d372be841.php&

unknown

http://85.28.47.70/744f169d372be841.phpera

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta

unknown

There are 47 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

85.28.47.70

unknown

Russian Federation

Details

IP:	85.28.47.70
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	31643
ASN name:	GES-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

EFA000

heap

page read and write

61E00000

direct allocation

page execute and read and write

21109000

heap

page read and write

27111000

heap

page read and write

6CADE000

unkown

page read and write

BE0000

unkown

page readonly

BE0000

unkown

page readonly

61ED4000

direct allocation

page readonly

27152000

heap

page read and write

EF0000

heap

page read and write

1AA2F000

stack

page read and write

1AFE0000

heap

page read and write

61ECC000

direct allocation

page read and write

BE1000

unkown

page execute read

61ED3000

direct allocation

page read and write

4FD000

stack

page read and write

6C860000

unkown

page readonly

49F000

remote allocation

page execute and read and write

493000

remote allocation

page execute and read and write

BE1000

unkown

page execute read

2D19E000

stack

page read and write

9F3000

stack

page read and write

B8F000

stack

page read and write

1ABAD000

stack

page read and write

400000

remote allocation

page execute and read and write

33DF0000

heap

page read and write

D05000

heap

page read and write

A8D000

stack

page read and write

C44000

unkown

page readonly

270D0000

heap

page read and write

46A000

remote allocation

page execute and read and write

1BD000

stack

page read and write

89E000

heap

page read and write

C12000

unkown

page write copy

6C901000

unkown

page execute read

C12000

unkown

page read and write

1AD1E000

stack

page read and write

27132000

heap

page read and write

6C861000

unkown

page execute read

2109C000

heap

page read and write

61ED0000

direct allocation

page read and write

61ECD000

direct allocation

page readonly

4F1000

remote allocation

page execute and read and write

1180000

heap

page read and write

2D29E000

stack

page read and write

EDE000

stack

page read and write

2116B000

heap

page read and write

1AE6E000

stack

page read and write

D00000

heap

page read and write

587000

remote allocation

page execute and read and write

A8F000

stack

page read and write

C06000

unkown

page readonly

C60000

heap

page read and write

4C4000

remote allocation

page execute and read and write

1A46E000

stack

page read and write

43C000

remote allocation

page execute and read and write

FCF000

heap

page read and write

84E000

stack

page read and write

1A92E000

stack

page read and write

61E01000

direct allocation

page execute read

21087000

heap

page read and write

4FD000

remote allocation

page execute and read and write

C70000

heap

page read and write

F3F000

heap

page read and write

5A7000

remote allocation

page execute and read and write

2107F000

heap

page read and write

FE9000

heap

page read and write

63E000

remote allocation

page execute and read and write

80E000

stack

page read and write

21074000

heap

page read and write

6CADF000

unkown

page write copy

500000

remote allocation

page execute and read and write

6C0000

heap

page read and write

34830000

heap

page read and write

68E000

stack

page read and write

4D1000

remote allocation

page execute and read and write

890000

heap

page read and write

F20000

heap

page read and write

5AD000

remote allocation

page execute and read and write

61EB4000

direct allocation

page read and write

89A000

heap

page read and write

1183000

heap

page read and write

510000

heap

page read and write

F2C000

heap

page read and write

1AFF0000

heap

page read and write

270F0000

heap

page read and write

C44000

unkown

page readonly

8A7000

heap

page read and write

FAF000

heap

page read and write

1AA6D000

stack

page read and write

1A8B0000

heap

page read and write

9F8000

stack

page read and write

1AB6E000

stack

page read and write

1AF6D000

stack

page read and write

118C000

heap

page read and write

27172000

heap

page read and write

1AE1F000

stack

page read and write

C40000

unkown

page read and write

1ACAD000

stack

page read and write

6CA9F000

unkown

page readonly

61EB7000

direct allocation

page readonly

F4F000

heap

page read and write

21060000

heap

page read and write

8FB000

stack

page read and write

1B0F2000

heap

page read and write

21063000

heap

page read and write

1A56E000

stack

page read and write

210A4000

heap

page read and write

2107D000

heap

page read and write

6CAE5000

unkown

page readonly

F5B000

heap

page read and write

640000

direct allocation

page execute and read and write

D4F000

stack

page read and write

6C8DD000

unkown

page readonly

5F0000

heap

page read and write

CDD000

stack

page read and write

6C8F2000

unkown

page readonly

6CAE0000

unkown

page read and write

6C8EE000

unkown

page read and write

6C900000

unkown

page readonly

C06000

unkown

page readonly

There are 111 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
file.exe