Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SPA-198-2024.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.909868707606551
Filename:	SPA-198-2024.exe
Filesize:	893952
MD5:	018636d5cf9775c57e733e0f8f8de8a1
SHA1:	ea30ceaf5fd685557e735c704953e367c11914cc
SHA256:	04dab42e8f694a3fac6b3ea2532462e89e9118c928545710a872d34874376a49
SHA512:	be9cb78934e1c25599ca37eab3c6e28b9412fecfe550ddb7b2c793c5311f1dbe21060ebb24ae3d59368c6f8e4d44de507bcd6c6e87715e300793b395b32d1a73
SSDEEP:	12288:nqmgMfzuwYwBZ7yZGxi2Zn9nwQc1xQI8rjF2sUp083rBhxwnLoNq/B:qzszBpExghEBfNy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPA-198-2024.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPA-198-2024.exe.log
Category:	dropped
Dump:	SPA-198-2024.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SPA-198-2024.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SPA-198-2024.exe

"C:\Users\user\Desktop\SPA-198-2024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6228
Target ID:	0
Parent PID:	4004
Name:	SPA-198-2024.exe
Path:	C:\Users\user\Desktop\SPA-198-2024.exe
Commandline:	"C:\Users\user\Desktop\SPA-198-2024.exe"
Size:	893952
MD5:	018636D5CF9775C57E733E0F8F8DE8A1
Time:	15:35:28
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	917504
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SPA-198-2024.exe

"C:\Users\user\Desktop\SPA-198-2024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1776
Target ID:	3
Parent PID:	6228
Name:	SPA-198-2024.exe
Path:	C:\Users\user\Desktop\SPA-198-2024.exe
Commandline:	"C:\Users\user\Desktop\SPA-198-2024.exe"
Size:	893952
MD5:	018636D5CF9775C57E733E0F8F8DE8A1
Time:	15:35:30
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	917504
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

1D90000

direct allocation

page read and write

4F43000

heap

page read and write

C66000

heap

page read and write

C00000

trusted library allocation

page read and write

53A3000

heap

page read and write

CF4000

heap

page read and write

4F50000

trusted library allocation

page read and write

5080000

heap

page execute and read and write

ACE0000

heap

page read and write

2971000

trusted library allocation

page read and write

14FC000

stack

page read and write

6CEE000

stack

page read and write

8C6E000

stack

page read and write

D2A000

heap

page read and write

5160000

trusted library allocation

page execute and read and write

B6F000

stack

page read and write

BE0000

trusted library allocation

page read and write

89EE000

stack

page read and write

8AEE000

stack

page read and write

111D000

stack

page read and write

910000

heap

page read and write

2790000

heap

page read and write

1B6D000

direct allocation

page execute and read and write

28C0000

trusted library allocation

page read and write

2770000

trusted library allocation

page read and write

EC0000

heap

page read and write

8325000

heap

page read and write

BAE000

stack

page read and write

28C5000

trusted library allocation

page read and write

5220000

heap

page read and write

4FEB000

stack

page read and write

5360000

heap

page read and write

B2C0000

trusted library section

page read and write

8512000

trusted library allocation

page read and write

29BC000

trusted library allocation

page read and write

2880000

trusted library allocation

page read and write

8B2E000

stack

page read and write

BF4000

trusted library allocation

page read and write

54E0000

trusted library allocation

page execute and read and write

5200000

trusted library allocation

page read and write

E50000

trusted library allocation

page read and write

440000

unkown

page readonly

4A6C000

stack

page read and write

5380000

heap

page read and write

1CF1000

direct allocation

page execute and read and write

29AF000

trusted library allocation

page read and write

C81000

heap

page read and write

BF0000

trusted library allocation

page read and write

BFD000

trusted library allocation

page execute and read and write

54AE000

stack

page read and write

2960000

heap

page execute and read and write

C12000

trusted library allocation

page read and write

54F0000

trusted library allocation

page read and write

EC7000

heap

page read and write

11E0000

heap

page read and write

288B000

trusted library allocation

page read and write

5210000

trusted library allocation

page execute and read and write

C16000

trusted library allocation

page execute and read and write

283E000

stack

page read and write

C40000

heap

page read and write

1B69000

direct allocation

page execute and read and write

A60000

heap

page read and write

CEC000

heap

page read and write

4204000

trusted library allocation

page read and write

C27000

trusted library allocation

page execute and read and write

C0D000

trusted library allocation

page execute and read and write

E3E000

stack

page read and write

28F0000

trusted library allocation

page read and write

5351000

trusted library allocation

page read and write

5370000

heap

page read and write

CA1000

heap

page read and write

16E0000

heap

page read and write

3979000

trusted library allocation

page read and write

A3D000

stack

page read and write

8D6E000

stack

page read and write

8340000

heap

page read and write

27B0000

trusted library allocation

page execute and read and write

11CE000

stack

page read and write

CDE000

heap

page read and write

15E0000

heap

page read and write

2930000

heap

page read and write

C1A000

trusted library allocation

page execute and read and write

2942000

trusted library allocation

page read and write

51C000

unkown

page readonly

1A40000

direct allocation

page execute and read and write

4F90000

trusted library allocation

page execute and read and write

28AD000

trusted library allocation

page read and write

287B000

stack

page read and write

2950000

trusted library allocation

page execute and read and write

706D000

stack

page read and write

6AB0000

heap

page read and write

8F7000

stack

page read and write

28D0000

trusted library allocation

page read and write

C2B000

trusted library allocation

page execute and read and write

BF3000

trusted library allocation

page execute and read and write

29A9000

trusted library allocation

page read and write

28A1000

trusted library allocation

page read and write

1A1F000

stack

page read and write

AEDD000

stack

page read and write

5130000

heap

page read and write

C10000

trusted library allocation

page read and write

11D0000

heap

page read and write

6DEE000

stack

page read and write

1180000

heap

page read and write

18DE000

stack

page read and write

276E000

stack

page read and write

C30000

heap

page read and write

7F8D0000

trusted library allocation

page execute and read and write

5150000

trusted library allocation

page read and write

BB0000

heap

page read and write

54D0000

trusted library allocation

page read and write

1D0D000

direct allocation

page execute and read and write

1D06000

direct allocation

page execute and read and write

AFDD000

stack

page read and write

5330000

trusted library allocation

page read and write

5140000

heap

page read and write

EA0000

trusted library allocation

page execute and read and write

4FF0000

trusted library section

page readonly

8374000

heap

page read and write

4F40000

heap

page read and write

54B0000

trusted library section

page read and write

28A6000

trusted library allocation

page read and write

A65000

heap

page read and write

41C7000

trusted library allocation

page read and write

2947000

trusted library allocation

page read and write

1E80000

heap

page read and write

6CAE000

stack

page read and write

2C00000

trusted library allocation

page read and write

532D000

stack

page read and write

5365000

heap

page read and write

6ABE000

heap

page read and write

28B2000

trusted library allocation

page read and write

442000

unkown

page readonly

1D88000

direct allocation

page execute and read and write

191E000

stack

page read and write

5AA000

stack

page read and write

15E8000

heap

page read and write

C7F000

heap

page read and write

C74000

heap

page read and write

27FE000

stack

page read and write

289E000

trusted library allocation

page read and write

C85000

heap

page read and write

C4E000

heap

page read and write

CF8000

heap

page read and write

E9E000

stack

page read and write

4F70000

trusted library allocation

page read and write

2940000

trusted library allocation

page read and write

8C2F000

stack

page read and write

3971000

trusted library allocation

page read and write

CD8000

heap

page read and write

8310000

heap

page read and write

837F000

heap

page read and write

1BDE000

direct allocation

page execute and read and write

702D000

stack

page read and write

A927000

trusted library allocation

page read and write

C22000

trusted library allocation

page read and write

EB0000

trusted library allocation

page read and write

2780000

trusted library allocation

page read and write

4F80000

trusted library allocation

page read and write

9F0000

heap

page read and write

There are 151 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SPA-198-2024.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSPA-198-2024.exe

Files

Processes

Memdumps

IOC Report
SPA-198-2024.exe