Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1iYCBTo5tf.exe

"C:\Users\user\Desktop\1iYCBTo5tf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6336
Target ID:	1
Parent PID:	4088
Name:	1iYCBTo5tf.exe
Path:	C:\Users\user\Desktop\1iYCBTo5tf.exe
Commandline:	"C:\Users\user\Desktop\1iYCBTo5tf.exe"
Size:	228688
MD5:	60031F413C1E9F1191A6C08C4802532C
Time:	08:53:29
Date:	09/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x550000
Modulesize:	196608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

213.21.220.222:8080

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

https://api.ip.sb/ipP

unknown

http://tempuri.org/RestAPI/TreeObject2ResponseXx

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyl

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://tempuri.org/RestAPI/TreeObject3ResponseXx

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/fault

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/RestAPI/TreeObject1ResponseXx

unknown

https://api.ip.sb/ip0

unknown

http://tempuri.org/RestAPI/TreeObject2

unknown

http://tempuri.org/RestAPI/TreeObject1

unknown

http://tempuri.org/RestAPI/TreeObject3

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage

unknown

http://tempuri.org/8)

unknown

http://tempuri.org/RestAPI/

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence

unknown

https://api.ip.s0

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

There are 17 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

213.21.220.222

unknown

Latvia

Details

IP:	213.21.220.222
TargetID:	1
Current Path:	C:\Users\user\Desktop\1iYCBTo5tf.exe
Country:	Latvia
Countrycode:	LVA
ASN number:	8285
ASN name:	VERSIALV
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

552000

unkown

page readonly

4EF0000

trusted library allocation

page read and write

4EB0000

trusted library allocation

page read and write

4DC0000

trusted library allocation

page read and write

2ACE000

trusted library allocation

page read and write

5107000

heap

page read and write

4D10000

trusted library allocation

page read and write

E86000

trusted library allocation

page execute and read and write

E97000

trusted library allocation

page execute and read and write

2A8C000

trusted library allocation

page read and write

E95000

trusted library allocation

page execute and read and write

4DB1000

trusted library allocation

page read and write

2700000

trusted library allocation

page read and write

4F00000

trusted library allocation

page read and write

4D30000

trusted library allocation

page read and write

2A07000

trusted library allocation

page read and write

E8A000

trusted library allocation

page execute and read and write

C50000

heap

page read and write

53EE000

stack

page read and write

C77000

heap

page read and write

4EC0000

heap

page execute and read and write

4D80000

trusted library allocation

page read and write

B30000

heap

page read and write

4D78000

trusted library allocation

page read and write

E82000

trusted library allocation

page read and write

4E90000

trusted library allocation

page read and write

4DE0000

trusted library allocation

page read and write

28D7000

trusted library allocation

page read and write

4D46000

trusted library allocation

page read and write

4D6A000

trusted library allocation

page read and write

C58000

heap

page read and write

4DCE000

trusted library allocation

page read and write

28CF000

trusted library allocation

page read and write

E92000

trusted library allocation

page read and write

4E20000

trusted library allocation

page read and write

50F9000

heap

page read and write

3839000

trusted library allocation

page read and write

C8A000

heap

page read and write

510A000

heap

page read and write

E60000

trusted library allocation

page read and write

C96000

heap

page read and write

4DC8000

trusted library allocation

page read and write

4D3B000

trusted library allocation

page read and write

83C000

stack

page read and write

2720000

heap

page read and write

293F000

trusted library allocation

page read and write

A80000

heap

page read and write

4DD0000

trusted library allocation

page read and write

3831000

trusted library allocation

page read and write

E9B000

trusted library allocation

page execute and read and write

E70000

trusted library allocation

page read and write

2884000

trusted library allocation

page read and write

2710000

heap

page execute and read and write

B10000

heap

page read and write

4D70000

trusted library allocation

page read and write

4D41000

trusted library allocation

page read and write

4F4E000

stack

page read and write

4EE0000

trusted library allocation

page read and write

4D5E000

trusted library allocation

page read and write

E6D000

trusted library allocation

page execute and read and write

970000

heap

page read and write

4D52000

trusted library allocation

page read and write

7EF30000

trusted library allocation

page execute and read and write

C3E000

stack

page read and write

ACE000

stack

page read and write

28BC000

trusted library allocation

page read and write

52EF000

stack

page read and write

54EE000

stack

page read and write

C5E000

heap

page read and write

4FCE000

stack

page read and write

2831000

trusted library allocation

page read and write

29BB000

trusted library allocation

page read and write

4DA1000

trusted library allocation

page read and write

4E10000

trusted library allocation

page execute and read and write

26F0000

trusted library allocation

page execute and read and write

4FD0000

trusted library allocation

page read and write

4EA0000

trusted library allocation

page execute and read and write

2A4A000

trusted library allocation

page read and write

4D75000

trusted library allocation

page read and write

49CE000

stack

page read and write

26ED000

stack

page read and write

2660000

trusted library allocation

page read and write

A85000

heap

page read and write

4E30000

trusted library allocation

page execute and read and write

2928000

trusted library allocation

page read and write

282F000

stack

page read and write

550000

unkown

page readonly

E7D000

trusted library allocation

page execute and read and write

937000

stack

page read and write

EA0000

heap

page read and write

E50000

trusted library allocation

page read and write

4D61000

trusted library allocation

page read and write

E64000

trusted library allocation

page read and write

28CB000

trusted library allocation

page read and write

E63000

trusted library allocation

page execute and read and write

26AE000

stack

page read and write

4E40000

trusted library allocation

page read and write

D32000

heap

page read and write

4D90000

trusted library allocation

page read and write

4F8E000

stack

page read and write

A50000

heap

page read and write

E80000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page execute and read and write

2924000

trusted library allocation

page read and write

4D7B000

trusted library allocation

page read and write

50F0000

heap

page read and write

There are 96 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1iYCBTo5tf.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1iYCBTo5tf.exe

Processes

URLs

IPs

Memdumps

IOC Report
1iYCBTo5tf.exe