Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

"C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6320
Target ID:	0
Parent PID:	2580
Name:	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Path:	C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Commandline:	"C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe"
Size:	48640
MD5:	EA189587EDA182B5EDCB3B4977DBE529
Time:	12:09:13
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x870000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

sostener2024.duckdns.org

Details

Name:	sostener2024.duckdns.org
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Source:	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

sostener2024.duckdns.org

192.169.69.26

Details

Name:	sostener2024.duckdns.org
IP:	192.169.69.26
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

192.169.69.26

sostener2024.duckdns.org

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

872000

unkown

page readonly

7FFD9B804000

trusted library allocation

page read and write

7FFD9B8C6000

trusted library allocation

page execute and read and write

1B9BE000

stack

page read and write

CB0000

heap

page read and write

10C0000

trusted library allocation

page read and write

1B8BE000

stack

page read and write

1B4C0000

heap

page read and write

1165000

heap

page read and write

7FFD9B900000

trusted library allocation

page execute and read and write

7FFD9B890000

trusted library allocation

page read and write

1BABF000

stack

page read and write

7FF4A7B50000

trusted library allocation

page execute and read and write

D24000

heap

page read and write

10B0000

trusted library allocation

page read and write

7FFD9B7E4000

trusted library allocation

page read and write

C50000

heap

page read and write

1B663000

heap

page read and write

CDD000

heap

page read and write

D26000

heap

page read and write

D3A000

heap

page read and write

2B84000

heap

page read and write

C55000

heap

page read and write

7FFD9B7F0000

trusted library allocation

page read and write

7FFD9B80D000

trusted library allocation

page execute and read and write

C10000

heap

page read and write

CF3000

heap

page read and write

CDA000

heap

page read and write

C20000

heap

page read and write

1B5C0000

heap

page read and write

D1C000

heap

page read and write

D1E000

heap

page read and write

7FFD9B89C000

trusted library allocation

page execute and read and write

1090000

trusted library allocation

page read and write

7FFD9B896000

trusted library allocation

page read and write

CD3000

heap

page read and write

7FFD9B7FD000

trusted library allocation

page execute and read and write

F7F000

stack

page read and write

870000

unkown

page readonly

12D03000

trusted library allocation

page read and write

7FFD9B7E3000

trusted library allocation

page execute and read and write

7FFD9B7F3000

trusted library allocation

page read and write

2D01000

trusted library allocation

page read and write

7FFD9B980000

trusted library allocation

page read and write

7FFD9B8A0000

trusted library allocation

page execute and read and write

7FFD9B7ED000

trusted library allocation

page execute and read and write

CE5000

heap

page read and write

C60000

heap

page read and write

CF0000

heap

page read and write

870000

unkown

page readonly

1160000

heap

page read and write

CC5000

heap

page read and write

C80000

heap

page read and write

12D01000

trusted library allocation

page read and write

10C3000

trusted library allocation

page read and write

87E000

unkown

page readonly

7FFD9B83C000

trusted library allocation

page execute and read and write

7FFD9B800000

trusted library allocation

page read and write

2B0E000

stack

page read and write

1B17D000

stack

page read and write

9C4000

stack

page read and write

2CF0000

heap

page execute and read and write

CBC000

heap

page read and write

1110000

heap

page execute and read and write

2B70000

heap

page read and write

There are 55 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe