Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.577802598719638
Filename:	#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Filesize:	37888
MD5:	24ab0ba0700aff18d46f4b4858907567
SHA1:	d4a9f83e3729733d6f9f43bf8d0b475eb0fdba2b
SHA256:	7af0156a84824969e63357b1a5d6913efa7f0df71a2f585a416d0d200a5c5898
SHA512:	b3d404452b01720f4a4756e8e409cdee93e830186e78c4c30c3247caab4150c98987fb507657a6f929fb5d26a02a5092a873cb8883521a5b06da7b362ac4e727
SSDEEP:	384:VetvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXX:4t7TZ38fvCv3E1c1rM+rMRa8Nu8it
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.e................................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Protects its processes via BreakOnTermination flag	Operating System Destruction
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation Disable or Modify Tools
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading	Replication Through Removable Media Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.934041687320963
Encrypted:	false
Ssdeep:	48:DOOYuR3qmbq0aLxgkVMr72W1GUVbEpouMm5XF30u3s:yERz3rpr/EpouMmxFr3s
Size:	2496
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe

"C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6744
Target ID:	0
Parent PID:	3964
Name:	#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Commandline:	"C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe"
Size:	37888
MD5:	24AB0BA0700AFF18D46F4B4858907567
Time:	00:00:42
Date:	24/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
May infect USB drives	Spreading	Replication Through Removable Media
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe" "#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	5708
Target ID:	2
Parent PID:	6744
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe" "#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	00:00:49
Date:	24/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5672
Target ID:	3
Parent PID:	5708
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:00:49
Date:	24/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

unknown

Details

Name:	https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Source:	#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

2.tcp.eu.ngrok.io

18.156.13.209

Details

Name:	2.tcp.eu.ngrok.io
IP:	18.156.13.209
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

18.156.13.209

2.tcp.eu.ngrok.io

United States

Details

IP:	18.156.13.209
TargetID:	0
Current Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	2.tcp.eu.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

3.127.138.57

unknown

United States

Details

IP:	3.127.138.57
TargetID:	0
Current Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

18.157.68.73

unknown

United States

Details

IP:	18.157.68.73
TargetID:	0
Current Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

18.197.239.5

unknown

United States

Details

IP:	18.197.239.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

482000

unkown

page readonly

4DAC000

stack

page read and write

48C000

unkown

page readonly

9D9000

heap

page read and write

BFE000

heap

page read and write

A60000

trusted library allocation

page read and write

4F8E000

stack

page read and write

4950000

heap

page read and write

52A0000

heap

page read and write

4D00000

unclassified section

page read and write

BEE000

stack

page read and write

E2E000

stack

page read and write

A97000

trusted library allocation

page execute and read and write

580000

heap

page read and write

2AFC000

trusted library allocation

page read and write

9D8000

heap

page read and write

A82000

trusted library allocation

page execute and read and write

4E8E000

stack

page read and write

9B5000

heap

page read and write

93B000

stack

page read and write

C8C000

heap

page read and write

F80000

trusted library allocation

page execute and read and write

C2E000

heap

page read and write

A50000

heap

page execute and read and write

92E000

stack

page read and write

CF6000

heap

page read and write

9E4000

heap

page read and write

52C0000

heap

page read and write

A7A000

trusted library allocation

page execute and read and write

C98000

heap

page read and write

480000

unkown

page readonly

C61000

heap

page read and write

CAC000

heap

page read and write

480E000

stack

page read and write

4D23000

heap

page read and write

9C0000

heap

page read and write

F50000

heap

page read and write

F60000

trusted library allocation

page read and write

50DF000

stack

page read and write

F2E000

stack

page read and write

CCE000

unkown

page read and write

AE0000

heap

page read and write

46EE000

stack

page read and write

4B5C000

stack

page read and write

3A81000

trusted library allocation

page read and write

A92000

trusted library allocation

page read and write

4E9F000

stack

page read and write

A37000

trusted library allocation

page read and write

52B0000

heap

page read and write

4C5E000

stack

page read and write

CAA000

heap

page read and write

A8A000

trusted library allocation

page execute and read and write

5DE000

stack

page read and write

A9B000

trusted library allocation

page execute and read and write

A77000

trusted library allocation

page execute and read and write

CD0000

heap

page read and write

83B000

stack

page read and write

5220000

trusted library allocation

page execute and read and write

935000

stack

page read and write

9A0000

heap

page read and write

A30000

trusted library allocation

page read and write

4EA0000

heap

page read and write

4DE9000

stack

page read and write

9AA000

heap

page read and write

D00000

heap

page read and write

BFA000

heap

page read and write

9B2000

heap

page read and write

A42000

trusted library allocation

page execute and read and write

93F000

stack

page read and write

CF0000

heap

page read and write

AB0000

heap

page read and write

BF0000

heap

page read and write

4830000

heap

page read and write

AA0000

heap

page read and write

2AD8000

trusted library allocation

page read and write

4FDE000

stack

page read and write

A4A000

trusted library allocation

page execute and read and write

AA0000

heap

page read and write

A6A000

trusted library allocation

page execute and read and write

F90000

heap

page read and write

4CEC000

stack

page read and write

51A000

stack

page read and write

F96000

heap

page read and write

4D6B000

stack

page read and write

4CF0000

trusted library allocation

page read and write

8F6000

stack

page read and write

F40000

trusted library allocation

page execute and read and write

4A88000

trusted library allocation

page read and write

7F410000

trusted library allocation

page execute and read and write

AA5000

heap

page read and write

590000

heap

page read and write

C9D000

heap

page read and write

4D20000

heap

page read and write

9C1000

heap

page read and write

F30000

trusted library allocation

page read and write

9C0000

heap

page read and write

BCD000

unkown

page read and write

2A81000

trusted library allocation

page read and write

DFD000

stack

page read and write

A62000

trusted library allocation

page execute and read and write

E10000

heap

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exe