Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

rbx hack 2.6.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.072614416212156
Filename:	rbx hack 2.6.exe
Filesize:	174080
MD5:	85674d840f5718ae8b969d34f00959a6
SHA1:	81ac606530c9f8f0b5b1aedebdfe5fbd9f0720a6
SHA256:	d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d
SHA512:	9b97f5a99e2bea32b1ec68173a7b7e661c609a5c03abd391d3f974b54518c3fd4666e2570603037d6e383354fe63cbbf7b5c684a1edd69249fdfa51a7dd7296f
SSDEEP:	3072:IE+aisCzuOA2ewhLapuvpAsZOyMqmyBeYVYk:WRV/GWGwqqm1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.g.....................&........... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rbx hack 2.6.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rbx hack 2.6.exe.log
Category:	dropped
Dump:	rbx hack 2.6.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\rbx hack 2.6.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\rbx hack.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\rbx hack.exe
Category:	dropped
Dump:	rbx hack.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\rbx hack 2.6.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.617457264202004
Encrypted:	false
Ssdeep:	768:CkoLg652Eslt/aNxND3O4JSNjxWQG35bmaePD5Pv+2XXJdxIEpm7g:CkSVGtiNjDTGdWQcGDxX3xIEpm7g
Size:	55808
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses new MSVCR Dlls	Compliance, System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rbx hack 2.6.exe

"C:\Users\user\Desktop\rbx hack 2.6.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6744
Target ID:	0
Parent PID:	4056
Name:	rbx hack 2.6.exe
Path:	C:\Users\user\Desktop\rbx hack 2.6.exe
Commandline:	"C:\Users\user\Desktop\rbx hack 2.6.exe"
Size:	174080
MD5:	85674D840F5718AE8B969D34F00959A6
Time:	11:18:13
Date:	23/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	196608
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\rbx hack.exe

"C:\Users\user\AppData\Local\Temp\rbx hack.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7148
Target ID:	2
Parent PID:	6744
Name:	rbx hack.exe
Path:	C:\Users\user\AppData\Local\Temp\rbx hack.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\rbx hack.exe"
Size:	55808
MD5:	E3250BA3E962DDF90560E00C92659CF9
Time:	11:18:16
Date:	23/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x690000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://go.microsoft.

unknown

Details

Name:	http://go.microsoft.
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\rbx hack.exe
Source:	rbx hack.exe, 00000002.00000002.3372309070.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://go.microsoft.LinkId=42127

unknown

Details

Name:	http://go.microsoft.LinkId=42127
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\rbx hack.exe
Source:	rbx hack.exe, 00000002.00000002.3372309070.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://pastebin.com/raw/???

unknown

Details

Name:	https://pastebin.com/raw/???
TargetID:	-1
From Memory:	true
Source:	rbx hack 2.6.exe, 00000000.00000002.925150095.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, rbx hack.exe, 00000002.00000000.922868420.0000000000692000.00000002.00000001.01000000.00000006.sdmp, rbx hack.exe, 00000002.00000002.3373440376.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, rbx hack.exe.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

size-ingredients.gl.at.ply.gg

147.185.221.27

Details

Name:	size-ingredients.gl.at.ply.gg
IP:	147.185.221.27
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.27

size-ingredients.gl.at.ply.gg

United States

Details

IP:	147.185.221.27
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\rbx hack.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	size-ingredients.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\a1cb840a8f8b330a9629751db128f43f

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

2E41000

trusted library allocation

page read and write

692000

unkown

page readonly

E50000

heap

page execute and read and write

7FF93668D000

trusted library allocation

page execute and read and write

4E60000

trusted library allocation

page execute and read and write

1540000

heap

page read and write

13BE000

stack

page read and write

DCB000

trusted library allocation

page execute and read and write

7A0000

heap

page read and write

C90000

trusted library allocation

page read and write

1BCEE000

stack

page read and write

7FF936800000

trusted library allocation

page read and write

7B0000

heap

page read and write

7FE000

stack

page read and write

4F1D000

stack

page read and write

1BBEE000

stack

page read and write

6A0000

unkown

page readonly

1C0EE000

stack

page read and write

7FF93667D000

trusted library allocation

page execute and read and write

4E5E000

stack

page read and write

1020000

heap

page read and write

10A0000

trusted library allocation

page read and write

DBA000

trusted library allocation

page execute and read and write

1BA16000

heap

page read and write

7FF936720000

trusted library allocation

page execute and read and write

12E41000

trusted library allocation

page read and write

B70000

unkown

page readonly

AF6000

stack

page read and write

2DEE000

stack

page read and write

AF9000

stack

page read and write

2E30000

heap

page read and write

1104000

heap

page read and write

10C0000

heap

page read and write

DAA000

trusted library allocation

page execute and read and write

1BDEE000

stack

page read and write

2CF6000

trusted library allocation

page read and write

1136000

heap

page read and write

7FF936746000

trusted library allocation

page execute and read and write

1520000

heap

page read and write

10C6000

heap

page read and write

B7E000

heap

page read and write

10EC000

heap

page read and write

73A000

stack

page read and write

4E70000

trusted library allocation

page read and write

7FF936674000

trusted library allocation

page read and write

BAE000

heap

page read and write

2C81000

trusted library allocation

page read and write

1132000

heap

page read and write

CA2000

trusted library allocation

page execute and read and write

CB0000

trusted library allocation

page read and write

7FF936710000

trusted library allocation

page read and write

4FE0000

trusted library allocation

page read and write

7FF936780000

trusted library allocation

page execute and read and write

F20000

heap

page read and write

12E48000

trusted library allocation

page read and write

1545000

heap

page read and write

2E20000

heap

page execute and read and write

CC5000

heap

page read and write

1B9FC000

heap

page read and write

7FF9366BC000

trusted library allocation

page execute and read and write

14BF000

stack

page read and write

DA7000

trusted library allocation

page execute and read and write

4FD9000

stack

page read and write

1BEEE000

stack

page read and write

B70000

unkown

page readonly

7FF936663000

trusted library allocation

page execute and read and write

12BE000

stack

page read and write

7FF936672000

trusted library allocation

page read and write

DC2000

trusted library allocation

page read and write

B60000

heap

page read and write

5070000

unclassified section

page read and write

4F5B000

stack

page read and write

B7A000

heap

page read and write

1B8E0000

heap

page execute and read and write

2D1A000

trusted library allocation

page read and write

E90000

heap

page read and write

1B9ED000

stack

page read and write

DC7000

trusted library allocation

page execute and read and write

7FF93671C000

trusted library allocation

page execute and read and write

DB2000

trusted library allocation

page execute and read and write

5060000

trusted library allocation

page execute and read and write

1040000

heap

page read and write

1BFEB000

stack

page read and write

4F9C000

stack

page read and write

E20000

heap

page read and write

1085000

heap

page read and write

1080000

heap

page read and write

CAA000

trusted library allocation

page execute and read and write

1102000

heap

page read and write

4D5E000

stack

page read and write

7FF4F6CC0000

trusted library allocation

page execute and read and write

2CD2000

trusted library allocation

page read and write

CC0000

heap

page read and write

F9F000

stack

page read and write

CB2000

trusted library allocation

page execute and read and write

B72000

unkown

page readonly

CBC000

trusted library allocation

page execute and read and write

1000000

heap

page read and write

1BA09000

heap

page read and write

10F6000

heap

page read and write

12E43000

trusted library allocation

page read and write

293F000

stack

page read and write

EF4000

stack

page read and write

1B9FA000

heap

page read and write

14C0000

trusted library allocation

page read and write

E0E000

stack

page read and write

1B9F0000

heap

page read and write

B70000

heap

page read and write

7FF936670000

trusted library allocation

page read and write

7FF936664000

trusted library allocation

page read and write

CBA000

trusted library allocation

page execute and read and write

1B3DD000

stack

page read and write

10CC000

heap

page read and write

E80000

trusted library allocation

page read and write

4C88000

trusted library allocation

page read and write

690000

unkown

page readonly

7FF936680000

trusted library allocation

page read and write

E30000

heap

page read and write

3C81000

trusted library allocation

page read and write

7FF93666D000

trusted library allocation

page execute and read and write

1194000

heap

page read and write

4FF0000

heap

page read and write

There are 112 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rbx hack 2.6.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportrbx hack 2.6.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
rbx hack 2.6.exe