Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\pisun.exe

"C:\Users\user\Desktop\pisun.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6640
Target ID:	1
Parent PID:	3084
Name:	pisun.exe
Path:	C:\Users\user\Desktop\pisun.exe
Commandline:	"C:\Users\user\Desktop\pisun.exe"
Size:	55808
MD5:	45140E967970CD63521EAA76DC4DB7D7
Time:	09:58:58
Date:	23/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://pastebin.com/raw/???

unknown

Domains

Name

Malicious

such-captain.gl.at.ply.gg

147.185.221.27

Details

Name:	such-captain.gl.at.ply.gg
IP:	147.185.221.27
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.27

such-captain.gl.at.ply.gg

United States

Details

IP:	147.185.221.27
TargetID:	1
Current Path:	C:\Users\user\Desktop\pisun.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	such-captain.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	1
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\f9f7ecca9c9e7996304b914cc137e66d

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

1D2000

unkown

page readonly

576000

stack

page read and write

5E0000

heap

page read and write

B22000

trusted library allocation

page read and write

49F0000

heap

page read and write

B50000

heap

page read and write

63F000

heap

page read and write

B0A000

trusted library allocation

page execute and read and write

AFA000

trusted library allocation

page execute and read and write

980000

heap

page read and write

AD8000

trusted library allocation

page read and write

4BB0000

unclassified section

page read and write

4B48000

stack

page read and write

600000

heap

page read and write

3811000

trusted library allocation

page read and write

B12000

trusted library allocation

page execute and read and write

2862000

trusted library allocation

page read and write

5E5000

heap

page read and write

AD0000

trusted library allocation

page read and write

49E0000

trusted library allocation

page execute and read and write

D1E000

stack

page read and write

608000

heap

page read and write

AFC000

trusted library allocation

page execute and read and write

B27000

trusted library allocation

page execute and read and write

2811000

trusted library allocation

page read and write

28A9000

trusted library allocation

page read and write

47A000

stack

page read and write

4818000

trusted library allocation

page read and write

CD0000

heap

page read and write

5F0000

heap

page read and write

D20000

heap

page execute and read and write

60E000

heap

page read and write

CB0000

trusted library allocation

page read and write

4A8D000

stack

page read and write

2886000

trusted library allocation

page read and write

1E0000

unkown

page readonly

9A0000

heap

page read and write

1D0000

unkown

page readonly

AF2000

trusted library allocation

page execute and read and write

B07000

trusted library allocation

page execute and read and write

49D0000

trusted library allocation

page read and write

579000

stack

page read and write

AE2000

trusted library allocation

page execute and read and write

B9E000

stack

page read and write

4ACC000

stack

page read and write

B2B000

trusted library allocation

page execute and read and write

7D0000

heap

page read and write

AEA000

trusted library allocation

page execute and read and write

C9E000

stack

page read and write

49AF000

stack

page read and write

CC0000

trusted library allocation

page execute and read and write

28D4000

trusted library allocation

page read and write

B1A000

trusted library allocation

page execute and read and write

4B0C000

stack

page read and write

AF0000

trusted library allocation

page read and write

49B0000

trusted library allocation

page read and write

There are 46 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
pisun.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpisun.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
pisun.exe