Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7Xex8yR90g.exe

"C:\Users\user\Desktop\7Xex8yR90g.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4428
Target ID:	0
Parent PID:	1028
Name:	7Xex8yR90g.exe
Path:	C:\Users\user\Desktop\7Xex8yR90g.exe
Commandline:	"C:\Users\user\Desktop\7Xex8yR90g.exe"
Size:	407040
MD5:	8242342835F51D7321B9EF1DB28B40A0
Time:	15:16:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1f0000
Modulesize:	425984
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3792
Target ID:	2
Parent PID:	4428
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	15:16:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1288
Target ID:	1
Parent PID:	4428
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:16:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.228.166.55/924cf5c06b0c4fee.php

Details

Name:	http://94.228.166.55/924cf5c06b0c4fee.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\7Xex8yR90g.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

229000

unkown

page read and write

400000

remote allocation

page execute and read and write

1F1000

unkown

page execute read

254000

unkown

page readonly

1330000

heap

page read and write

254000

unkown

page readonly

229000

unkown

page write copy

99C000

stack

page read and write

12FC000

stack

page read and write

2AF0000

heap

page read and write

637000

remote allocation

page execute and read and write

14B0000

heap

page read and write

15DF000

stack

page read and write

625000

remote allocation

page execute and read and write

120F000

stack

page read and write

14D0000

heap

page read and write

E80000

direct allocation

page execute and read and write

FCC000

stack

page read and write

21C000

unkown

page readonly

2D3E000

stack

page read and write

21C000

unkown

page readonly

102F000

heap

page read and write

250000

unkown

page read and write

1610000

heap

page read and write

E2E000

stack

page read and write

101A000

heap

page read and write

2C3E000

stack

page read and write

E6E000

stack

page read and write

DE0000

heap

page read and write

1F0000

unkown

page readonly

1010000

heap

page read and write

1410000

heap

page read and write

1F1000

unkown

page execute read

CFC000

stack

page read and write

E90000

heap

page read and write

101E000

heap

page read and write

161A000

heap

page read and write

1F0000

unkown

page readonly

D00000

heap

page read and write

F9F000

stack

page read and write

147E000

stack

page read and write

There are 31 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7Xex8yR90g.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7Xex8yR90g.exe

Processes

URLs

Memdumps

IOC Report
7Xex8yR90g.exe