Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

b34J4bxnmN.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.656857908942536
Filename:	b34J4bxnmN.exe
Filesize:	9278464
MD5:	24aaa69f6e96ea14e0602d49d5c58a83
SHA1:	d50b28c15f5a93a9e4679d3c43d88a17e7350f40
SHA256:	3318d2024f5863942ba46235834bea85161a90219dbcb09bfadaf14f4811476f
SHA512:	35f59bbd359371c9a584556899fa3990b2954a532b8d73e9b65282301b25bb3f32a218fcd19eba0aa473e5ab4cae21bba5f20584218f3800cc566534e007978c
SSDEEP:	196608:eYzQO9kPmWdJGlvIGEBhQ7BP5TmoaiZMSW0G6JmJfLknzB:5zQ8kP9dgwXK7Lmo7ul8cTaB
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.............................#... ........@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Contains functionality to disable the Task Manager (.Net Source)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to spread to USB devices (.Net source)	Spreading	Replication Through Removable Media
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Roaming\app

Unicode text, UTF-8 (with BOM) text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\app
Category:	dropped
Dump:	app.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\b34J4bxnmN.exe
Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Entropy:	2.321928094887362
Encrypted:	false
Ssdeep:	3:1n:1
Size:	5
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\b34J4bxnmN.exe

"C:\Users\user\Desktop\b34J4bxnmN.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7352
Target ID:	0
Parent PID:	2580
Name:	b34J4bxnmN.exe
Path:	C:\Users\user\Desktop\b34J4bxnmN.exe
Commandline:	"C:\Users\user\Desktop\b34J4bxnmN.exe"
Size:	9278464
MD5:	24AAA69F6E96EA14E0602D49D5C58A83
Time:	04:17:03
Date:	16/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	9306112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\b34J4bxnmN.exe" "b34J4bxnmN.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7792
Target ID:	4
Parent PID:	7352
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\b34J4bxnmN.exe" "b34J4bxnmN.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	04:17:45
Date:	16/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7800
Target ID:	5
Parent PID:	7792
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:17:45
Date:	16/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

147.185.221.18

unknown

United States

Details

IP:	147.185.221.18
TargetID:	0
Current Path:	C:\Users\user\Desktop\b34J4bxnmN.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

Memdumps

Base Address

Regiontype

Protect

Malicious

31B1000

trusted library allocation

page read and write

41B9000

trusted library allocation

page read and write

5810000

trusted library section

page read and write

11D5000

heap

page read and write

2FB0000

trusted library allocation

page read and write

51FC000

heap

page read and write

520A000

heap

page read and write

C53000

heap

page read and write

5990000

trusted library allocation

page read and write

B3B000

stack

page read and write

C5C000

heap

page read and write

13DE000

stack

page read and write

CA6000

heap

page read and write

51CF000

stack

page read and write

1390000

heap

page read and write

C5C000

heap

page read and write

5920000

heap

page execute and read and write

6190000

trusted library allocation

page execute and read and write

C55000

heap

page read and write

1340000

heap

page read and write

18C0000

trusted library allocation

page read and write

65EE000

stack

page read and write

2F08000

trusted library allocation

page read and write

C59000

heap

page read and write

5208000

heap

page read and write

6F2E000

stack

page read and write

1562000

trusted library allocation

page read and write

C2A000

heap

page read and write

CC6000

heap

page read and write

1368000

heap

page read and write

5A80000

trusted library allocation

page execute and read and write

C81000

heap

page read and write

3020000

trusted library allocation

page read and write

51F1000

heap

page read and write

C15000

heap

page read and write

C45000

heap

page read and write

C5E000

heap

page read and write

C22000

heap

page read and write

155A000

trusted library allocation

page execute and read and write

3488000

trusted library allocation

page read and write

CC5000

heap

page read and write

C4F000

heap

page read and write

151E000

stack

page read and write

18B0000

trusted library allocation

page execute and read and write

5200000

heap

page read and write

5206000

heap

page read and write

15CE000

stack

page read and write

C24000

heap

page read and write

18E0000

heap

page read and write

5A70000

trusted library allocation

page execute and read and write

C41000

heap

page read and write

4C90000

heap

page read and write

5201000

heap

page read and write

482000

unkown

page readonly

41B1000

trusted library allocation

page read and write

C15000

heap

page read and write

1617000

heap

page read and write

C3D000

heap

page read and write

5971000

trusted library allocation

page read and write

C3D000

heap

page read and write

5660000

trusted library allocation

page read and write

30A0000

heap

page read and write

6DEE000

stack

page read and write

CA6000

heap

page read and write

C5B000

heap

page read and write

C5E000

heap

page read and write

1450000

heap

page read and write

C5A000

heap

page read and write

5850000

trusted library allocation

page execute and read and write

5A00000

trusted library allocation

page execute and read and write

CA3000

heap

page read and write

C59000

heap

page read and write

2FA0000

trusted library allocation

page read and write

EA0000

heap

page read and write

CC5000

heap

page read and write

5A13000

trusted library allocation

page read and write

11AD000

stack

page read and write

C44000

heap

page read and write

11D8000

heap

page read and write

CC0000

heap

page read and write

3028000

trusted library allocation

page read and write

6BB0000

heap

page read and write

596E000

stack

page read and write

C80000

heap

page read and write

C26000

heap

page read and write

CC0000

heap

page read and write

C50000

heap

page read and write

5A20000

trusted library allocation

page execute and read and write

58F0000

trusted library allocation

page read and write

CCD000

heap

page read and write

C04000

heap

page read and write

5A40000

trusted library allocation

page execute and read and write

C1B000

heap

page read and write

644C000

stack

page read and write

C56000

heap

page read and write

C21000

heap

page read and write

C55000

heap

page read and write

62CF000

stack

page read and write

CA6000

heap

page read and write

58E0000

trusted library allocation

page execute and read and write

61C0000

trusted library allocation

page execute and read and write

B55000

heap

page read and write

C45000

heap

page read and write

CA0000

heap

page read and write

C4D000

heap

page read and write

CC3000

heap

page read and write

C4D000

heap

page read and write

18E7000

heap

page read and write

10F7000

stack

page read and write

71F0000

heap

page read and write

1580000

trusted library allocation

page read and write

5200000

heap

page read and write

CA6000

heap

page read and write

CCA000

heap

page read and write

64B0000

trusted library allocation

page execute and read and write

C4E000

heap

page read and write

1386000

heap

page read and write

C40000

heap

page read and write

160C000

stack

page read and write

133D000

trusted library allocation

page execute and read and write

51F2000

heap

page read and write

C1B000

heap

page read and write

B80000

heap

page read and write

CC0000

heap

page read and write

156B000

trusted library allocation

page execute and read and write

59A0000

trusted library allocation

page execute and read and write

5AE2000

heap

page read and write

C5E000

heap

page read and write

C41000

heap

page read and write

C4A000

heap

page read and write

C3F000

heap

page read and write

55F0000

trusted library allocation

page read and write

5840000

trusted library allocation

page read and write

C27000

heap

page read and write

51D0000

heap

page read and write

C28000

heap

page read and write

44F9000

trusted library allocation

page read and write

5200000

heap

page read and write

2FE0000

trusted library allocation

page read and write

5200000

heap

page read and write

64E0000

trusted library allocation

page execute and read and write

378F000

trusted library allocation

page read and write

69AC000

stack

page read and write

C46000

heap

page read and write

C59000

heap

page read and write

14B0000

heap

page read and write

5200000

heap

page read and write

C3D000

heap

page read and write

C5F000

heap

page read and write

5830000

trusted library allocation

page execute and read and write

3030000

trusted library allocation

page read and write

C4D000

heap

page read and write

11D0000

heap

page read and write

5640000

trusted library allocation

page read and write

CC1000

heap

page read and write

C59000

heap

page read and write

3060000

trusted library allocation

page read and write

CA6000

heap

page read and write

64A0000

trusted library allocation

page execute and read and write

B3E000

stack

page read and write

CA3000

heap

page read and write

C47000

heap

page read and write

1333000

trusted library allocation

page execute and read and write

1550000

trusted library allocation

page read and write

C80000

heap

page read and write

C1C000

heap

page read and write

5AB8000

heap

page read and write

5207000

heap

page read and write

696E000

stack

page read and write

706E000

stack

page read and write

3053000

heap

page read and write

6E2D000

stack

page read and write

C21000

heap

page read and write

C80000

heap

page read and write

BCE000

unkown

page read and write

F70000

heap

page read and write

5AB0000

heap

page read and write

C4D000

heap

page read and write

CA3000

heap

page read and write

CCE000

heap

page read and write

59F0000

trusted library allocation

page execute and read and write

C5B000

heap

page read and write

59B0000

trusted library allocation

page execute and read and write

5AA4000

heap

page read and write

5670000

trusted library allocation

page execute and read and write

C26000

heap

page read and write

14DE000

stack

page read and write

7FDE0000

trusted library allocation

page execute and read and write

12EF000

stack

page read and write

C1B000

heap

page read and write

BF0000

heap

page read and write

640C000

stack

page read and write

CCA000

heap

page read and write

EB0000

heap

page read and write

59D0000

trusted library allocation

page execute and read and write

5A50000

trusted library allocation

page execute and read and write

A3B000

stack

page read and write

1348000

heap

page read and write

1543000

trusted library allocation

page read and write

5200000

heap

page read and write

1556000

trusted library allocation

page execute and read and write

4A8F000

stack

page read and write

6150000

trusted library allocation

page execute and read and write

149E000

stack

page read and write

3080000

trusted library allocation

page read and write

5202000

heap

page read and write

69E9000

stack

page read and write

B2E000

stack

page read and write

1382000

heap

page read and write

692D000

stack

page read and write

C28000

heap

page read and write

C57000

heap

page read and write

58D0000

trusted library allocation

page execute and read and write

5910000

trusted library allocation

page execute and read and write

348E000

trusted library allocation

page read and write

3001000

trusted library allocation

page read and write

C56000

heap

page read and write

12F0000

heap

page read and write

6CED000

stack

page read and write

C54000

heap

page read and write

5AF8000

heap

page read and write

2FEB000

trusted library allocation

page read and write

5900000

heap

page read and write

51F1000

heap

page read and write

2FFE000

trusted library allocation

page read and write

2FD0000

heap

page execute and read and write

B50000

heap

page read and write

1334000

trusted library allocation

page read and write

480000

unkown

page readonly

C22000

heap

page read and write

5890000

trusted library allocation

page read and write

C45000

heap

page read and write

E9F000

unkown

page read and write

CA3000

heap

page read and write

DEA000

stack

page read and write

C80000

heap

page read and write

1330000

heap

page read and write

3050000

heap

page read and write

42EC000

trusted library allocation

page read and write

31AF000

stack

page read and write

1440000

heap

page read and write

6F6D000

stack

page read and write

1540000

trusted library allocation

page read and write

3090000

trusted library allocation

page read and write

C2A000

heap

page read and write

C24000

heap

page read and write

CCA000

heap

page read and write

CC0000

heap

page read and write

3006000

trusted library allocation

page read and write

C4F000

heap

page read and write

C15000

heap

page read and write

1380000

heap

page read and write

2FF2000

trusted library allocation

page read and write

D54000

unkown

page readonly

F76000

heap

page read and write

C18000

heap

page read and write

1567000

trusted library allocation

page execute and read and write

14FE000

stack

page read and write

63CE000

stack

page read and write

18D0000

trusted library allocation

page read and write

BD7000

heap

page read and write

1610000

heap

page read and write

52AE000

stack

page read and write

C41000

heap

page read and write

134E000

heap

page read and write

CC9000

heap

page read and write

2FE4000

trusted library allocation

page read and write

66EB000

stack

page read and write

5680000

trusted library allocation

page read and write

1560000

trusted library allocation

page read and write

3070000

trusted library allocation

page read and write

C53000

heap

page read and write

C4F000

heap

page read and write

BD0000

heap

page read and write

348C000

trusted library allocation

page read and write

CC0000

heap

page read and write

C59000

heap

page read and write

1330000

trusted library allocation

page read and write

CC0000

heap

page read and write

67EC000

stack

page read and write

CCB000

heap

page read and write

58A0000

trusted library allocation

page execute and read and write

C21000

heap

page read and write

300D000

trusted library allocation

page read and write

B33000

stack

page read and write

1320000

trusted library allocation

page read and write

154D000

trusted library allocation

page execute and read and write

C20000

heap

page read and write

C07000

heap

page read and write

CA3000

heap

page read and write

171E000

stack

page read and write

2FC0000

trusted library allocation

page read and write

3040000

trusted library allocation

page read and write

C50000

heap

page read and write

C5C000

heap

page read and write

1150000

heap

page read and write

C3D000

heap

page read and write

1160000

heap

page read and write

C5E000

heap

page read and write

There are 289 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
b34J4bxnmN.exe

Files

Processes

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportb34J4bxnmN.exe

Files

Processes

IPs

Registry

Memdumps

IOC Report
b34J4bxnmN.exe