Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.811683523254202
Filename:	file.exe
Filesize:	141824
MD5:	cae3f7ae06655eb93f5dfb028ddd3d6d
SHA1:	54821b16fab00ec529f0b99e1d49de8d291eb492
SHA256:	1fc74fb83aebbe5a37b41e7a4e900a83288618ca696d76a717e2d6a51fad343f
SHA512:	e2226e3ba2c9bd079db74dcc0cb87f8d6449c99dfe3d2ccae0dda40b7c1a1ca3b77341e49c72bbb183aca86fd29960a70836bfb758f42c3bf83605b3f808dad8
SSDEEP:	1536:6KQx+JZ4AV5zOvv24ajo8OFbebA+fnnlNWu0SBs54K4UAfJw1oKrY14a9ilmdz82:6RxSdvzODaM8Olevnlp65mJw1bpuMuf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g.........."...0.. ...........?... ...@....@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.364175471524945
Encrypted:	false
Ssdeep:	24:ML9E4KQwKDE4KGKZI6KhBsXE4Np51qE4GIsCKIE4TKBGKoZAE4KKUN8E4KD:MxHKQwYHKGSI6okHNp51qHGIsCtHTHhX
Size:	1498
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7140
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	141824
MD5:	CAE3F7AE06655EB93F5DFB028DDD3D6D
Time:	17:56:52
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1e393020000
Modulesize:	163840
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Generic Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://t.me/

unknown

https://duckduckgo.com/ac/?q=

unknown

https://t.me/freakcodingspot

unknown

https://api.telegram.org

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

https://t.me/TheDyer

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://get.geH

unknown

https://www.ecosia.org/newtab/

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://get.geojs.io

unknown

https://api.tele

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://schemas.xmlsoap.org/wsdl/

unknown

https://get.geojs.io

unknown

https://api.telegram.org/bot6217988193:AAFiJwdcFHDuCM08fAA_dnBQZGLDPSVjUQY/sendDocument

149.154.167.220

https://get.geojs.io/v1/ip/geo.json

104.26.0.100

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://t.me/webster480

unknown

There are 15 hidden URLs, click here to show them.

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

get.geojs.io

104.26.0.100

Details

Name:	get.geojs.io
IP:	104.26.0.100
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.26.0.100

get.geojs.io

United States

Details

IP:	104.26.0.100
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	get.geojs.io

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1E394D0B000

trusted library allocation

page read and write

1E393384000

heap

page read and write

7FF848F40000

trusted library allocation

page read and write

1E3A5051000

trusted library allocation

page read and write

1E393440000

heap

page execute and read and write

1E3AD8C8000

heap

page read and write

1E3AD8A5000

heap

page read and write

1E3932D1000

heap

page read and write

1E394EEA000

trusted library allocation

page read and write

1E3AE680000

heap

page read and write

7FF848F44000

trusted library allocation

page read and write

1E3AD79D000

heap

page read and write

7FF848D8D000

trusted library allocation

page execute and read and write

1E3931F0000

heap

page read and write

1E3AD553000

heap

page read and write

1E3AD7D2000

heap

page read and write

1E3AD7C9000

heap

page read and write

1E394E73000

trusted library allocation

page read and write

7FF848F71000

trusted library allocation

page read and write

1E3AD5B0000

heap

page execute and read and write

1E3AD84B000

heap

page read and write

1E3AD7EE000

heap

page read and write

7FF848F50000

trusted library allocation

page execute and read and write

1E3932F4000

heap

page read and write

1E393020000

unkown

page readonly

42B5DFE000

stack

page read and write

1E3AD8EC000

heap

page read and write

1E3AD48D000

heap

page read and write

1E3AD7A9000

heap

page read and write

7FF848D74000

trusted library allocation

page read and write

1E3932B0000

heap

page read and write

1E3AD690000

heap

page read and write

1E3AD8D8000

heap

page read and write

42B52FE000

stack

page read and write

42B4DEF000

stack

page read and write

7FF848D70000

trusted library allocation

page read and write

1E394EC4000

trusted library allocation

page read and write

7FF848D9B000

trusted library allocation

page execute and read and write

7FF848D73000

trusted library allocation

page execute and read and write

7FF848F80000

trusted library allocation

page read and write

1E3AD800000

heap

page read and write

1E3AD770000

heap

page read and write

1E394E7B000

trusted library allocation

page read and write

7FF848F60000

trusted library allocation

page execute and read and write

1E3AD8DC000

heap

page read and write

42B5FFD000

stack

page read and write

7FF4D6120000

trusted library allocation

page execute and read and write

1E393020000

unkown

page readonly

1E3AD46E000

heap

page read and write

42B5BFE000

stack

page read and write

1E3AD885000

heap

page read and write

1E394DC6000

trusted library allocation

page read and write

42B53FF000

stack

page read and write

1E394CF9000

trusted library allocation

page read and write

7FF848E56000

trusted library allocation

page execute and read and write

42B5CFD000

stack

page read and write

1E3A52E7000

trusted library allocation

page read and write

1E3AD868000

heap

page read and write

1E3A4EF9000

trusted library allocation

page read and write

1E395095000

trusted library allocation

page read and write

1E393250000

trusted library allocation

page read and write

1E394CF0000

trusted library allocation

page read and write

7FF848D94000

trusted library allocation

page read and write

7FF848D7D000

trusted library allocation

page execute and read and write

1E3AD496000

heap

page read and write

1E3AD881000

heap

page read and write

42B55FC000

stack

page read and write

1E3AD780000

heap

page read and write

1E394E82000

trusted library allocation

page read and write

7FF848D9D000

trusted library allocation

page execute and read and write

1E3AD915000

heap

page read and write

1E3AD48A000

heap

page read and write

1E393480000

heap

page read and write

42B50F3000

stack

page read and write

1E394EFA000

trusted library allocation

page read and write

1E393240000

heap

page read and write

42B56FE000

stack

page read and write

1E3A4EEC000

trusted library allocation

page read and write

1E3A4EDF000

trusted library allocation

page read and write

1E3932F1000

heap

page read and write

7FF848E2C000

trusted library allocation

page execute and read and write

1E3931D0000

heap

page read and write

1E394D25000

trusted library allocation

page read and write

1E3931B0000

heap

page read and write

7FF848DCC000

trusted library allocation

page execute and read and write

42B51FF000

stack

page read and write

1E3AD513000

heap

page read and write

1E3930D0000

heap

page read and write

1E393372000

heap

page read and write

1E393450000

trusted library allocation

page read and write

1E3AD895000

heap

page read and write

7FF848E26000

trusted library allocation

page read and write

1E3A4CB1000

trusted library allocation

page read and write

1E394E0E000

trusted library allocation

page read and write

1E39331E000

heap

page read and write

42B59FD000

stack

page read and write

1E3A4CF7000

trusted library allocation

page read and write

1E393387000

heap

page read and write

7FF848E90000

trusted library allocation

page execute and read and write

1E3932DC000

heap

page read and write

1E3934E5000

heap

page read and write

1E394C91000

trusted library allocation

page read and write

7FF848F20000

trusted library allocation

page read and write

1E3AD460000

heap

page read and write

1E3A4EE7000

trusted library allocation

page read and write

1E3AE691000

heap

page read and write

1E3AD816000

heap

page read and write

1E3934E0000

heap

page read and write

1E3AD874000

heap

page read and write

1E3A4CA0000

trusted library allocation

page read and write

1E3934EB000

heap

page read and write

1E3AD8F0000

heap

page read and write

1E3AD8CB000

heap

page read and write

42B54FE000

stack

page read and write

1E393270000

trusted library allocation

page read and write

1E394EC8000

trusted library allocation

page read and write

7FF848D80000

trusted library allocation

page read and write

7FF848F82000

trusted library allocation

page read and write

1E3A4C91000

trusted library allocation

page read and write

1E3AD535000

heap

page read and write

7FF848E30000

trusted library allocation

page execute and read and write

1E3AD858000

heap

page read and write

1E3AD7B2000

heap

page read and write

7FF848F10000

trusted library allocation

page read and write

1E39331C000

heap

page read and write

1E394CFB000

trusted library allocation

page read and write

1E3AD4CD000

heap

page read and write

7FF848F30000

trusted library allocation

page read and write

1E393245000

heap

page read and write

1E3AD7D7000

heap

page read and write

7FF848E20000

trusted library allocation

page read and write

1E3A4EF3000

trusted library allocation

page read and write

1E3AD532000

heap

page read and write

1E3A50D7000

trusted library allocation

page read and write

1E3AD483000

heap

page read and write

1E3ACCC0000

trusted library allocation

page read and write

7FF848D72000

trusted library allocation

page read and write

1E394EB8000

trusted library allocation

page read and write

1E3932B6000

heap

page read and write

1E3AD789000

heap

page read and write

1E394D07000

trusted library allocation

page read and write

1E393370000

heap

page read and write

7FF848D90000

trusted library allocation

page read and write

1E3AD825000

heap

page read and write

42B60FE000

stack

page read and write

1E3AE69A000

heap

page read and write

42B57FE000

stack

page read and write

1E3AD4C1000

heap

page read and write

1E3AD7DD000

heap

page read and write

1E394EB6000

trusted library allocation

page read and write

42B58FE000

stack

page read and write

1E3A4ED9000

trusted library allocation

page read and write

42B5EFE000

stack

page read and write

1E3AD7B9000

heap

page read and write

1E3AD883000

heap

page read and write

1E393022000

unkown

page readonly

There are 146 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe