Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OLHskBFtS1.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.617107723963221
Filename:	OLHskBFtS1.exe
Filesize:	32256
MD5:	8a40b60f37d095570a50f5edf2680d48
SHA1:	c29668edffbfa0e444ad56fbd5bc71d3aa81281e
SHA256:	4c64981ad17309e21b795b0af8fc4174d4ebeaca4129ab73b50a37b96066daa3
SHA512:	4c61b139630082394d2c9db2b2e7e651b3dac083345044e42cfa15abd4e690a1aabe7961ecbe9453b3b0cf1ad2b5811a2af7d22de6c49d91f8acb768271a9686
SSDEEP:	768:AjMXjwpJbb2zxxO56eqvPisfv8yQmIDUu0ti9Cj:XkKdisvQVkVj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,Yf.................v............... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API Security Software Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture Security Software Discovery
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
SQL strings found in memory and binary data	System Summary	Security Software Discovery
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OLHskBFtS1.exe

"C:\Users\user\Desktop\OLHskBFtS1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7464
Target ID:	0
Parent PID:	3504
Name:	OLHskBFtS1.exe
Path:	C:\Users\user\Desktop\OLHskBFtS1.exe
Commandline:	"C:\Users\user\Desktop\OLHskBFtS1.exe"
Size:	32256
MD5:	8A40B60F37D095570A50F5EDF2680D48
Time:	12:53:01
Date:	16/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x690000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\OLHskBFtS1.exe" "OLHskBFtS1.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7572
Target ID:	2
Parent PID:	7464
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\OLHskBFtS1.exe" "OLHskBFtS1.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	12:53:08
Date:	16/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1200000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7580
Target ID:	3
Parent PID:	7572
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:53:08
Date:	16/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

0.tcp.eu.ngrok.io

3.74.27.83

Details

Name:	0.tcp.eu.ngrok.io
IP:	3.74.27.83
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

18.192.31.30

unknown

United States

Details

IP:	18.192.31.30
TargetID:	0
Current Path:	C:\Users\user\Desktop\OLHskBFtS1.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

3.74.27.83

0.tcp.eu.ngrok.io

United States

Details

IP:	3.74.27.83
TargetID:	0
Current Path:	C:\Users\user\Desktop\OLHskBFtS1.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	0.tcp.eu.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

18.153.198.123

unknown

United States

Details

IP:	18.153.198.123
TargetID:	0
Current Path:	C:\Users\user\Desktop\OLHskBFtS1.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\4f7098563ca32e152a50bf8bea3737b3

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

692000

unkown

page readonly

FD2000

trusted library allocation

page read and write

4E91000

heap

page read and write

9B9000

heap

page read and write

8ED000

stack

page read and write

9DD000

heap

page read and write

FBA000

trusted library allocation

page execute and read and write

A59000

heap

page read and write

3EB000

stack

page read and write

9F1000

heap

page read and write

997000

heap

page read and write

5AE7000

heap

page read and write

9A5000

heap

page read and write

E7E000

stack

page read and write

4E6E000

stack

page read and write

9AA000

heap

page read and write

9E9000

heap

page read and write

A03000

heap

page read and write

FC2000

trusted library allocation

page execute and read and write

9DD000

heap

page read and write

5AE4000

heap

page read and write

A32000

heap

page read and write

A5E000

heap

page read and write

9B4000

heap

page read and write

9DD000

heap

page read and write

981000

heap

page read and write

9AC000

heap

page read and write

1060000

heap

page execute and read and write

790000

heap

page read and write

9B1000

heap

page read and write

4EA7000

heap

page read and write

A10000

heap

page read and write

C60000

heap

page read and write

F80000

trusted library allocation

page read and write

9E6000

heap

page read and write

5450000

trusted library allocation

page execute and read and write

E16000

heap

page read and write

A10000

heap

page read and write

2D3C000

trusted library allocation

page read and write

55C0000

heap

page read and write

9EC000

heap

page read and write

9EC000

heap

page read and write

4E93000

heap

page read and write

A5E000

heap

page read and write

A36000

heap

page read and write

9DE000

heap

page read and write

E10000

heap

page read and write

9A6000

heap

page read and write

D74000

heap

page read and write

9AA000

heap

page read and write

9EE000

heap

page read and write

D6F000

heap

page read and write

AF6000

stack

page read and write

A03000

heap

page read and write

4EAB000

heap

page read and write

50BE000

stack

page read and write

FDB000

trusted library allocation

page execute and read and write

9A9000

heap

page read and write

9D9000

heap

page read and write

A5B000

heap

page read and write

9EC000

heap

page read and write

506F000

stack

page read and write

9A5000

heap

page read and write

6FE000

stack

page read and write

2CC3000

trusted library allocation

page read and write

760000

heap

page read and write

A03000

heap

page read and write

5620000

heap

page read and write

9A7000

heap

page read and write

56EC000

stack

page read and write

D68000

heap

page read and write

11FE000

stack

page read and write

5BC0000

heap

page read and write

7B0000

heap

page read and write

592E000

stack

page read and write

297F000

stack

page read and write

9AF000

heap

page read and write

9DD000

heap

page read and write

4E95000

heap

page read and write

57EA000

stack

page read and write

A56000

heap

page read and write

9E0000

heap

page read and write

5BB0000

heap

page read and write

9CE000

heap

page read and write

9BA000

heap

page read and write

A54000

heap

page read and write

9A7000

heap

page read and write

9E3000

heap

page read and write

930000

heap

page read and write

6FB000

stack

page read and write

9D9000

heap

page read and write

4EA9000

heap

page read and write

8AE000

unkown

page read and write

101E000

stack

page read and write

4E92000

heap

page read and write

A5E000

heap

page read and write

9E6000

heap

page read and write

FA0000

trusted library allocation

page read and write

C88000

heap

page read and write

9DE000

heap

page read and write

9E9000

heap

page read and write

FAA000

trusted library allocation

page execute and read and write

9CC000

heap

page read and write

5AED000

heap

page read and write

9D7000

heap

page read and write

A10000

heap

page read and write

A51000

heap

page read and write

9B6000

heap

page read and write

A08000

heap

page read and write

FB7000

trusted library allocation

page execute and read and write

9B9000

heap

page read and write

A13000

heap

page read and write

D53000

heap

page read and write

9E5000

heap

page read and write

4FD0000

trusted library allocation

page read and write

A50000

heap

page read and write

2D05000

trusted library allocation

page read and write

4E5E000

stack

page read and write

A50000

heap

page read and write

A10000

heap

page read and write

FA2000

trusted library allocation

page execute and read and write

5AFB000

heap

page read and write

9E8000

heap

page read and write

4FC9000

stack

page read and write

9B6000

heap

page read and write

A08000

heap

page read and write

A36000

heap

page read and write

9EB000

heap

page read and write

4F4A000

stack

page read and write

9E3000

heap

page read and write

4EA7000

heap

page read and write

9AD000

heap

page read and write

A36000

heap

page read and write

A03000

heap

page read and write

9B8000

heap

page read and write

1260000

heap

page read and write

9AD000

heap

page read and write

2D17000

trusted library allocation

page read and write

9E9000

heap

page read and write

A50000

heap

page read and write

A11000

heap

page read and write

9CF000

heap

page read and write

4E94000

heap

page read and write

1050000

trusted library allocation

page read and write

9A8000

heap

page read and write

4FE0000

trusted library allocation

page execute and read and write

5013000

heap

page read and write

A50000

heap

page read and write

9E1000

heap

page read and write

A5E000

heap

page read and write

1250000

trusted library allocation

page execute and read and write

AF9000

stack

page read and write

4EA8000

heap

page read and write

A03000

heap

page read and write

4820000

heap

page read and write

9B9000

heap

page read and write

750000

heap

page read and write

9B5000

heap

page read and write

4E60000

trusted library allocation

page read and write

9AA000

heap

page read and write

9D0000

heap

page read and write

9CC000

heap

page read and write

55D0000

heap

page read and write

72A000

stack

page read and write

2CC1000

trusted library allocation

page read and write

9CC000

heap

page read and write

4F8C000

stack

page read and write

4E70000

heap

page read and write

9B7000

heap

page read and write

9B6000

heap

page read and write

51BE000

stack

page read and write

4CC8000

trusted library allocation

page read and write

7F3E0000

trusted library allocation

page execute and read and write

9EB000

heap

page read and write

9BA000

heap

page read and write

9ED000

heap

page read and write

9D8000

heap

page read and write

A54000

heap

page read and write

582E000

stack

page read and write

994000

heap

page read and write

690000

unkown

page readonly

9D2000

heap

page read and write

C30000

heap

page read and write

A08000

heap

page read and write

A35000

heap

page read and write

C8E000

heap

page read and write

5AB0000

heap

page read and write

119E000

stack

page read and write

9D9000

heap

page read and write

9EE000

heap

page read and write

A10000

heap

page read and write

9AD000

heap

page read and write

9DD000

heap

page read and write

9BA000

heap

page read and write

4E9D000

heap

page read and write

10AC000

stack

page read and write

9EC000

heap

page read and write

9D9000

heap

page read and write

A53000

heap

page read and write

4EA8000

heap

page read and write

795000

heap

page read and write

790000

heap

page read and write

4930000

heap

page read and write

D0D000

heap

page read and write

FCA000

trusted library allocation

page execute and read and write

A36000

heap

page read and write

4E93000

heap

page read and write

9E1000

heap

page read and write

9A5000

heap

page read and write

F9A000

trusted library allocation

page execute and read and write

5A90000

trusted library allocation

page execute and read and write

4E92000

heap

page read and write

A5E000

heap

page read and write

A5E000

heap

page read and write

F92000

trusted library allocation

page execute and read and write

9E4000

heap

page read and write

A50000

heap

page read and write

A32000

heap

page read and write

7A0000

heap

page read and write

770000

heap

page read and write

6EE000

stack

page read and write

4EA0000

heap

page read and write

3CC1000

trusted library allocation

page read and write

325A000

trusted library allocation

page read and write

9D9000

heap

page read and write

CBF000

heap

page read and write

9EB000

heap

page read and write

9D8000

heap

page read and write

9E1000

heap

page read and write

B5E000

unkown

page read and write

9E0000

heap

page read and write

C80000

heap

page read and write

4F0C000

stack

page read and write

960000

heap

page read and write

5AB5000

heap

page read and write

4FF0000

unclassified section

page read and write

9BB000

heap

page read and write

4E91000

heap

page read and write

9ED000

heap

page read and write

4E94000

heap

page read and write

9AA000

heap

page read and write

795000

heap

page read and write

10B6000

heap

page read and write

9EB000

heap

page read and write

A36000

heap

page read and write

A5E000

heap

page read and write

C5E000

stack

page read and write

4E98000

heap

page read and write

10B0000

heap

page read and write

C0E000

stack

page read and write

A08000

heap

page read and write

9E8000

heap

page read and write

9BB000

heap

page read and write

10B0000

heap

page read and write

9E8000

heap

page read and write

6F4000

stack

page read and write

FD7000

trusted library allocation

page execute and read and write

9D8000

heap

page read and write

9CC000

heap

page read and write

9E9000

heap

page read and write

A08000

heap

page read and write

5010000

heap

page read and write

There are 252 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
OLHskBFtS1.exe

Files

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOLHskBFtS1.exe

Files

Processes

Domains

IPs

Registry

Memdumps

IOC Report
OLHskBFtS1.exe