Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bac4j0DRRb.exe

"C:\Users\user\Desktop\bac4j0DRRb.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4028
Target ID:	0
Parent PID:	1028
Name:	bac4j0DRRb.exe
Path:	C:\Users\user\Desktop\bac4j0DRRb.exe
Commandline:	"C:\Users\user\Desktop\bac4j0DRRb.exe"
Size:	98304
MD5:	AD9E28142AB51F364542C7DAC2D73A8C
Time:	15:01:57
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x450000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

ierinapu.xyz:80

http://ierinapu.xyz/

18.141.10.107

https://ipinfo.io/ip%appdata%

unknown

http://tempuri.org/Endpoint/GetArgumentsLRjq

unknown

https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy

unknown

http://tempuri.org/Endpoint/GetArguments

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

https://api.ip.sb/geoip%USERPEnvironmentROFILE%

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://ierinapu.xyz

unknown

http://tempuri.org/

unknown

http://tempuri.org/Endpoint/VerifyUpdateResponse

unknown

http://tempuri.org/Endpoint/GetArgumentsResponse

unknown

https://api.ipify.org

unknown

http://tempuri.org/0t

unknown

http://tempuri.org/Endpoint/VerifyScanRequestLRjq(

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Endpoint/GetUpdatesResponse

unknown

http://ierinapu.xyz:80/

unknown

http://tempuri.org/Endpoint/

unknown

http://tempuri.org/Endpoint/VerifyUpdateLRjq

unknown

http://tempuri.org/Endpoint/GetArgumentsT

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://tempuri.org/Endpoint/VerifyScanRequestResponse

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

http://tempuri.org/Endpoint/GetUpdatesLRjq

unknown

There are 17 hidden URLs, click here to show them.

Domains

Name

Malicious

ierinapu.xyz

18.141.10.107

Details

Name:	ierinapu.xyz
IP:	18.141.10.107
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS queries to domains with low reputation	Networking
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

18.141.10.107

ierinapu.xyz

United States

Details

IP:	18.141.10.107
TargetID:	0
Current Path:	C:\Users\user\Desktop\bac4j0DRRb.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	ierinapu.xyz

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\bac4j0DRRb_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

452000

unkown

page readonly

900000

heap

page read and write

4A0E000

stack

page read and write

2906000

trusted library allocation

page read and write

4D94000

trusted library allocation

page read and write

97A000

heap

page read and write

860000

heap

page read and write

29DB000

trusted library allocation

page read and write

5BCE000

stack

page read and write

8D0000

heap

page read and write

5F50000

heap

page read and write

927000

heap

page read and write

90E000

heap

page read and write

4E50000

trusted library allocation

page execute and read and write

29F5000

trusted library allocation

page read and write

294C000

trusted library allocation

page read and write

4F7E000

stack

page read and write

2A51000

trusted library allocation

page read and write

299D000

trusted library allocation

page read and write

942000

heap

page read and write

4FC000

stack

page read and write

264A000

trusted library allocation

page execute and read and write

4E30000

trusted library allocation

page read and write

618F000

stack

page read and write

4D7E000

trusted library allocation

page read and write

4EE0000

trusted library allocation

page read and write

2860000

heap

page read and write

4E60000

trusted library allocation

page read and write

870000

heap

page read and write

4DE0000

trusted library allocation

page read and write

2ABC000

trusted library allocation

page read and write

298D000

trusted library allocation

page read and write

26D0000

trusted library allocation

page read and write

5CCE000

stack

page read and write

4DF0000

trusted library allocation

page read and write

46A000

unkown

page readonly

4EF0000

trusted library allocation

page read and write

5F60000

heap

page read and write

2AB8000

trusted library allocation

page read and write

2642000

trusted library allocation

page read and write

534F000

stack

page read and write

5E4E000

stack

page read and write

2652000

trusted library allocation

page read and write

90A000

heap

page read and write

501E000

stack

page read and write

5F92000

heap

page read and write

29D6000

trusted library allocation

page read and write

E7D000

trusted library allocation

page execute and read and write

28F8000

trusted library allocation

page read and write

4D72000

trusted library allocation

page read and write

291E000

trusted library allocation

page read and write

4DA0000

trusted library allocation

page read and write

2909000

trusted library allocation

page read and write

29CC000

trusted library allocation

page read and write

2900000

trusted library allocation

page read and write

5F9E000

heap

page read and write

2ADB000

trusted library allocation

page read and write

E8D000

trusted library allocation

page execute and read and write

4FDE000

stack

page read and write

4F90000

trusted library allocation

page execute and read and write

4F3D000

stack

page read and write

4D98000

trusted library allocation

page read and write

26E0000

heap

page execute and read and write

4EB0000

trusted library allocation

page read and write

29D4000

trusted library allocation

page read and write

5E0E000

stack

page read and write

6190000

trusted library allocation

page read and write

E60000

trusted library allocation

page read and write

4EDA000

trusted library allocation

page read and write

9E2000

heap

page read and write

5F9C000

heap

page read and write

291C000

trusted library allocation

page read and write

4D81000

trusted library allocation

page read and write

E80000

trusted library allocation

page read and write

4D5B000

trusted library allocation

page read and write

608E000

stack

page read and write

4DB0000

trusted library allocation

page read and write

4DC1000

trusted library allocation

page read and write

E74000

trusted library allocation

page read and write

4E40000

trusted library allocation

page execute and read and write

26C0000

trusted library allocation

page execute and read and write

2657000

trusted library allocation

page execute and read and write

2646000

trusted library allocation

page execute and read and write

4D90000

trusted library allocation

page read and write

5F4F000

stack

page read and write

296D000

trusted library allocation

page read and write

2850000

trusted library allocation

page read and write

2AAD000

trusted library allocation

page read and write

4D9A000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

4EC0000

trusted library allocation

page read and write

E73000

trusted library allocation

page execute and read and write

E90000

heap

page read and write

5F8000

stack

page read and write

2916000

trusted library allocation

page read and write

450000

unkown

page readonly

512E000

stack

page read and write

293F000

trusted library allocation

page read and write

2830000

heap

page read and write

B50000

heap

page read and write

E70000

trusted library allocation

page read and write

282E000

stack

page read and write

2871000

trusted library allocation

page read and write

8D5000

heap

page read and write

2A15000

trusted library allocation

page read and write

3871000

trusted library allocation

page read and write

4E00000

trusted library allocation

page read and write

4F80000

trusted library allocation

page execute and read and write

4D66000

trusted library allocation

page read and write

2640000

trusted library allocation

page read and write

2939000

trusted library allocation

page read and write

2A05000

trusted library allocation

page read and write

2670000

trusted library allocation

page read and write

2650000

trusted library allocation

page read and write

5D0E000

stack

page read and write

4D61000

trusted library allocation

page read and write

297D000

trusted library allocation

page read and write

5020000

heap

page execute and read and write

4EDD000

trusted library allocation

page read and write

2655000

trusted library allocation

page execute and read and write

265B000

trusted library allocation

page execute and read and write

29AD000

trusted library allocation

page read and write

27EE000

stack

page read and write

7F430000

trusted library allocation

page execute and read and write

26BE000

stack

page read and write

There are 115 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bac4j0DRRb.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportbac4j0DRRb.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
bac4j0DRRb.exe