Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\utkin.exe

"C:\Users\user\Desktop\utkin.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1772
Target ID:	0
Parent PID:	2580
Name:	utkin.exe
Path:	C:\Users\user\Desktop\utkin.exe
Commandline:	"C:\Users\user\Desktop\utkin.exe"
Size:	2749952
MD5:	119891F3F60E7BBA10A6B60731A8D211
Time:	00:52:02
Date:	27/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff680ff0000
Modulesize:	2772992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CredGrabber	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Meduza Stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\utkin.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org/a

unknown

Details

Name:	https://api.ipify.org/a
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\utkin.exe
Source:	utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org_

unknown

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\utkin.exe
Source:	utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/A:

unknown

Details

Name:	https://api.ipify.org/A:
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\utkin.exe
Source:	utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.orgW

unknown

Domains

Name

Malicious

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

193.3.19.151

unknown

Denmark

Details

IP:	193.3.19.151
TargetID:	0
Current Path:	C:\Users\user\Desktop\utkin.exe
Country:	Denmark
Countrycode:	DNK
ASN number:	2107
ASN name:	ARNES-NETAcademicandResearchNetworkofSloveniaSI
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	0
Current Path:	C:\Users\user\Desktop\utkin.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

1C737BAB000

heap

page read and write

1C739630000

direct allocation

page execute and read and write

1C737B30000

heap

page read and write

1C73995A000

heap

page read and write

1C7399EF000

heap

page read and write

1C737C13000

heap

page read and write

1C739925000

heap

page read and write

7FF681293000

unkown

page readonly

1C73952C000

heap

page read and write

27A57FF000

stack

page read and write

1C739620000

heap

page read and write

1C739940000

heap

page read and write

27A54FB000

stack

page read and write

27A50FE000

stack

page read and write

1C73A850000

heap

page read and write

1C73A7F0000

heap

page read and write

27A4BA7000

stack

page read and write

27A4FFE000

stack

page read and write

1C737C8A000

heap

page read and write

27A53FF000

stack

page read and write

1C739840000

heap

page read and write

1C739520000

heap

page read and write

1C739590000

heap

page read and write

27A52FE000

stack

page read and write

1C737A20000

heap

page read and write

1C737B50000

heap

page read and write

1C7399E9000

heap

page read and write

1C739B5A000

heap

page read and write

1C737C83000

heap

page read and write

1C739B51000

heap

page read and write

1C7399EC000

heap

page read and write

7FF68128E000

unkown

page readonly

1C739E66000

heap

page read and write

27A51FE000

stack

page read and write

7FF680FF0000

unkown

page readonly

1C737C98000

heap

page read and write

1C7399F9000

heap

page read and write

1C737B00000

heap

page read and write

1C739525000

heap

page read and write

7FF68127E000

unkown

page readonly

1C737BA0000

heap

page read and write

7FF680FF1000

unkown

page execute read

1C739921000

heap

page read and write

1C73B970000

heap

page read and write

1C739B40000

heap

page read and write

7FF68128A000

unkown

page write copy

1C737C0F000

heap

page read and write

1C737C4A000

heap

page read and write

1C739980000

heap

page read and write

7FF68103E000

unkown

page readonly

27A4EFE000

stack

page read and write

7FF68128A000

unkown

page read and write

1C739625000

heap

page read and write

27A56FE000

stack

page read and write

7FF68103E000

unkown

page readonly

27A55FE000

stack

page read and write

27A4B9D000

stack

page read and write

There are 47 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
utkin.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportutkin.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
utkin.exe