Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Mcx2Xk0fqn.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.516959989760247
Filename:	Mcx2Xk0fqn.exe
Filesize:	630272
MD5:	c421a43f741ad586338b3739bd812b95
SHA1:	442a8888bfc86d52e838a739417f597df12a7845
SHA256:	faf6ebfff85ddb7f9f7477e5370e564b16febf619e1c865dda506e7649488815
SHA512:	bef0969463a3130f7d4bcbd9b09b0e85fab4cba74a27ac74cc45e8c43ac54c7833ab1d8fdb648e8d14bd274bebabdc5285fa30f03543e13b32caa41856092ad9
SSDEEP:	6144:AOeZw9zc/dDwPHgjrGEUgy2mAT2QxKZoKyqvVl:AOeWFc/dgq9UYgOKZC2V
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P`.Z............................~.... ... ....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Access Token Manipulation
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information	Credentials in Registry
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	Access Token Manipulation System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Mcx2Xk0fqn.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Mcx2Xk0fqn.exe.log
Category:	dropped
Dump:	Mcx2Xk0fqn.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk70Ug+9pfu9tv:MLF2CpI329Iz52VMzffuT
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\188E93\31437F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\188E93\31437F.lck
Category:	dropped
Dump:	31437F.lck.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Type:	data
Entropy:	1.0424600748477153
Encrypted:	false
Ssdeep:	3:/lbq:4
Size:	46
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Mcx2Xk0fqn.exe

"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7272
Target ID:	0
Parent PID:	2580
Name:	Mcx2Xk0fqn.exe
Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Commandline:	"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Size:	630272
MD5:	C421A43F741AD586338B3739BD812B95
Time:	02:11:53
Date:	30/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	655360
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Mcx2Xk0fqn.exe

"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7304
Target ID:	1
Parent PID:	7272
Name:	Mcx2Xk0fqn.exe
Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Commandline:	"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Size:	630272
MD5:	C421A43F741AD586338B3739BD812B95
Time:	02:11:53
Date:	30/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcf0000
Modulesize:	655360
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://89.34.237.212/annonymous/fre.php

89.34.237.212

Details

Name:	http://89.34.237.212/annonymous/fre.php
IP:	89.34.237.212
TargetID:	1
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://89.34.237.212/annonymous/fre.phpzpf

unknown

http://www.ibsensoftware.com/

unknown

IPs

Domain

Country

Malicious

89.34.237.212

unknown

Romania

Details

IP:	89.34.237.212
TargetID:	1
Current Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Country:	Romania
Countrycode:	ROU
ASN number:	49367
ASN name:	ASSEFLOWAmsterdamInternetExchangeAMS-IXIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3AB1000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

1248000

heap

page read and write

3B9B000

trusted library allocation

page read and write

3B2C000

trusted library allocation

page read and write

2AB1000

trusted library allocation

page read and write

4D40000

trusted library section

page read and write

5FAD000

stack

page read and write

4B8E000

stack

page read and write

AA0000

trusted library allocation

page read and write

1190000

heap

page read and write

52C000

stack

page read and write

316C000

stack

page read and write

E1F000

stack

page read and write

EC0000

heap

page execute and read and write

60B0000

trusted library allocation

page execute and read and write

A0E000

stack

page read and write

103C000

stack

page read and write

A40000

heap

page read and write

A45000

heap

page read and write

E90000

heap

page read and write

D1F000

stack

page read and write

1150000

heap

page read and write

326E000

stack

page read and write

AE0000

heap

page read and write

150E000

stack

page read and write

EB0000

trusted library section

page read and write

442000

unkown

page readonly

E5E000

stack

page read and write

122E000

stack

page read and write

B7B000

heap

page read and write

AA2000

trusted library allocation

page execute and read and write

B2E000

heap

page read and write

E70000

trusted library allocation

page execute and read and write

1240000

heap

page read and write

B8F000

heap

page read and write

4B3E000

stack

page read and write

11DE000

stack

page read and write

A75000

trusted library allocation

page execute and read and write

1155000

heap

page read and write

A80000

heap

page read and write

4C8F000

stack

page read and write

5EE000

stack

page read and write

4AEE000

stack

page read and write

A6A000

trusted library allocation

page execute and read and write

126E000

heap

page read and write

E60000

trusted library allocation

page read and write

160E000

stack

page read and write

2CF3000

trusted library allocation

page read and write

B9E000

heap

page read and write

ABB000

trusted library allocation

page execute and read and write

AB7000

trusted library allocation

page execute and read and write

328F000

heap

page read and write

60AF000

stack

page read and write

590000

heap

page read and write

400000

unkown

page readonly

8F6000

stack

page read and write

BA5000

heap

page read and write

AF0000

heap

page read and write

11E0000

heap

page read and write

B48000

heap

page read and write

5D90000

trusted library allocation

page read and write

2DB0000

heap

page read and write

4D76000

trusted library section

page read and write

12AC000

heap

page read and write

A9A000

trusted library allocation

page execute and read and write

49F000

remote allocation

page execute and read and write

A62000

trusted library allocation

page execute and read and write

A70000

trusted library allocation

page read and write

5A0000

heap

page read and write

3AD0000

trusted library allocation

page read and write

49C000

unkown

page readonly

A72000

trusted library allocation

page execute and read and write

B20000

heap

page read and write

2DC0000

heap

page read and write

113B000

stack

page read and write

3BD4000

trusted library allocation

page read and write

B5E000

heap

page read and write

A97000

trusted library allocation

page execute and read and write

276F000

stack

page read and write

402000

unkown

page readonly

B28000

heap

page read and write

E80000

trusted library allocation

page read and write

A50000

trusted library allocation

page read and write

There are 74 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Mcx2Xk0fqn.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMcx2Xk0fqn.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
Mcx2Xk0fqn.exe