Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SharkHCShark.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.1026902111809305
Filename:	SharkHCShark.exe
Filesize:	692736
MD5:	1714616095f0d3f62aac384222620ad5
SHA1:	31412d21c22f20efa0f5f57b45842d1df6db0c11
SHA256:	4788d6606f23c828bbaaad8f8d3418fa86d704fc35aabebd48db7de370fb0f3b
SHA512:	cebc07a2990261d28286f93c856c1e81282e9e99d19905181acde53a7add4add980180296647784309b9947d52c06a69b916955c2382cc6aacf5a425d345861e
SSDEEP:	12288:n6CpQpr4Aqyt0MbXYgDq+qh58WcYrFmYqMdCN1VXmdWnSRv/MEkqI9zDVATDNTkT:nHpCr4Ryt9S+qRcS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.f............................N.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Binary may include packed or encrypted code	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Security Software Discovery Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHCShark.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHCShark.exe.log
Category:	dropped
Dump:	SharkHCShark.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SharkHCShark.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9x.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9x.dll
Category:	dropped
Dump:	d3d9x.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SharkHCShark.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.633422160662858
Encrypted:	false
Ssdeep:	12288:UepXIlZt+s6qg/FVbVejhhQR8jNUXPeqH3XKxceRjmuou7So3scqbQJyzywyIyrH:VpMC67QR8jNUXPeqH3XKxceRjmuou7SR
Size:	671232
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345080863654519
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
Size:	1119
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SharkHCShark.exe

"C:\Users\user\Desktop\SharkHCShark.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4904
Target ID:	0
Parent PID:	4004
Name:	SharkHCShark.exe
Path:	C:\Users\user\Desktop\SharkHCShark.exe
Commandline:	"C:\Users\user\Desktop\SharkHCShark.exe"
Size:	692736
MD5:	1714616095F0D3F62AAC384222620AD5
Time:	05:16:59
Date:	28/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5256
Target ID:	3
Parent PID:	4904
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:17:00
Date:	28/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8e0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3224
Target ID:	1
Parent PID:	4904
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:16:59
Date:	28/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

fp2e7a.wpc.phicdn.net

192.229.221.95

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

6D41A000

unkown

page read and write

184E000

stack

page read and write

FC0000

heap

page read and write

56FE000

heap

page read and write

2CE1000

trusted library allocation

page read and write

7E0F000

stack

page read and write

1600000

heap

page read and write

2D56000

trusted library allocation

page read and write

167C000

heap

page read and write

E70000

heap

page read and write

15B4000

trusted library allocation

page read and write

42B5000

trusted library allocation

page read and write

F13000

heap

page read and write

51D0000

trusted library allocation

page execute and read and write

D27000

heap

page read and write

7BC0000

trusted library allocation

page read and write

2D51000

trusted library allocation

page read and write

51E0000

trusted library allocation

page read and write

D10000

heap

page read and write

29CD000

trusted library allocation

page execute and read and write

8B90000

trusted library allocation

page execute and read and write

2A8B000

stack

page read and write

5600000

heap

page read and write

ECC000

unkown

page readonly

F29000

heap

page read and write

162B000

heap

page read and write

51B0000

heap

page read and write

514D000

trusted library allocation

page read and write

EE8000

heap

page read and write

15EB000

trusted library allocation

page execute and read and write

F15000

heap

page read and write

57EF000

stack

page read and write

E4D000

stack

page read and write

8CEE000

stack

page read and write

29D6000

trusted library allocation

page execute and read and write

29DA000

trusted library allocation

page execute and read and write

15E0000

trusted library allocation

page read and write

55C0000

trusted library allocation

page execute and read and write

2A00000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

17FF000

stack

page read and write

526B000

stack

page read and write

F1D000

heap

page read and write

D20000

heap

page read and write

2A4E000

stack

page read and write

E98000

heap

page read and write

15E7000

trusted library allocation

page execute and read and write

55F0000

heap

page read and write

160E000

heap

page read and write

31A0000

heap

page read and write

29B3000

trusted library allocation

page execute and read and write

2BA0000

trusted library allocation

page read and write

5800000

trusted library allocation

page read and write

29C3000

trusted library allocation

page read and write

18F0000

heap

page read and write

12FB000

stack

page read and write

5141000

trusted library allocation

page read and write

5624000

heap

page read and write

1450000

heap

page read and write

29D0000

trusted library allocation

page read and write

4DDD000

stack

page read and write

51C0000

trusted library allocation

page read and write

1634000

heap

page read and write

29E0000

trusted library allocation

page read and write

30DE000

stack

page read and write

F5C000

stack

page read and write

53AE000

stack

page read and write

512E000

trusted library allocation

page read and write

29EB000

trusted library allocation

page execute and read and write

ECC000

heap

page read and write

F6B000

heap

page read and write

512B000

trusted library allocation

page read and write

8B7E000

stack

page read and write

5273000

heap

page read and write

D30000

heap

page read and write

553D000

stack

page read and write

56F0000

heap

page read and write

159E000

stack

page read and write

5146000

trusted library allocation

page read and write

6D3F1000

unkown

page execute read

318E000

stack

page read and write

55D0000

trusted library allocation

page read and write

E22000

unkown

page readonly

6D3F0000

unkown

page readonly

32AE000

stack

page read and write

32B1000

trusted library allocation

page read and write

29E7000

trusted library allocation

page execute and read and write

2AB0000

trusted library allocation

page read and write

FE0000

heap

page read and write

5160000

trusted library allocation

page read and write

2BB0000

trusted library allocation

page execute and read and write

8A7E000

stack

page read and write

7D0D000

stack

page read and write

32BB000

trusted library allocation

page read and write

51C2000

trusted library allocation

page read and write

EB4000

heap

page read and write

2ADF000

trusted library allocation

page read and write

15B3000

trusted library allocation

page execute and read and write

F35000

heap

page read and write

1495000

heap

page read and write

8D2E000

stack

page read and write

8F6F000

stack

page read and write

32B9000

trusted library allocation

page read and write

314E000

stack

page read and write

2CDE000

stack

page read and write

2B9C000

trusted library allocation

page read and write

7C00000

heap

page execute and read and write

29A0000

trusted library allocation

page read and write

2BC5000

trusted library allocation

page read and write

E50000

heap

page read and write

5420000

heap

page read and write

29B0000

trusted library allocation

page read and write

8E6E000

stack

page read and write

6D48B000

unkown

page execute read

D35000

heap

page read and write

2BD0000

heap

page execute and read and write

32BF000

trusted library allocation

page read and write

2AD0000

trusted library allocation

page read and write

10CD000

stack

page read and write

2BC0000

trusted library allocation

page read and write

3CE1000

trusted library allocation

page read and write

73E2000

trusted library allocation

page read and write

E90000

heap

page read and write

140E000

stack

page read and write

CF7000

stack

page read and write

6D495000

unkown

page readonly

F23000

heap

page read and write

1626000

heap

page read and write

5620000

heap

page read and write

1800000

trusted library allocation

page read and write

15C4000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5225000

heap

page read and write

5220000

heap

page read and write

29E2000

trusted library allocation

page read and write

5124000

trusted library allocation

page read and write

45E000

remote allocation

page execute and read and write

FD0000

heap

page read and write

6D413000

unkown

page readonly

29B4000

trusted library allocation

page read and write

2AA0000

trusted library allocation

page read and write

7BBE000

stack

page read and write

55E0000

heap

page read and write

5210000

trusted library section

page readonly

1490000

heap

page read and write

5270000

heap

page read and write

3190000

heap

page execute and read and write

5410000

heap

page read and write

5120000

trusted library allocation

page read and write

2AE0000

heap

page read and write

2B92000

trusted library allocation

page read and write

3100000

trusted library allocation

page read and write

8E2E000

stack

page read and write

513E000

trusted library allocation

page read and write

108E000

stack

page read and write

30E0000

trusted library allocation

page execute and read and write

1642000

heap

page read and write

42B1000

trusted library allocation

page read and write

15A0000

trusted library allocation

page read and write

11DF000

stack

page read and write

4B5B000

trusted library allocation

page read and write

30F0000

trusted library allocation

page read and write

9A9000

stack

page read and write

8BEE000

stack

page read and write

15C0000

trusted library allocation

page read and write

2A90000

trusted library allocation

page execute and read and write

E20000

unkown

page readonly

144E000

stack

page read and write

5430000

heap

page execute and read and write

10D0000

heap

page read and write

29BD000

trusted library allocation

page execute and read and write

5152000

trusted library allocation

page read and write

There are 163 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SharkHCShark.exe

Files

Processes

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSharkHCShark.exe

Files

Processes

Domains

Memdumps

IOC Report
SharkHCShark.exe