Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

hfKx2T5IfT.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.371407401715407
Filename:	hfKx2T5IfT.exe
Filesize:	126464
MD5:	61ae4aea70d5e2c89c5f4c77453a158a
SHA1:	be19c1e5f3d36df7b4f1bfd5c88465f7c1f124c4
SHA256:	76618841b8ca047be4e3985b65b33f284e92446c774df127aa5f584fa38a48f6
SHA512:	f0fa9452a8256e8a4784bcca2518e0b8faefcbbabd4e9bd517a66b820bcecf59da9455c170adce1ded19100baf4ce43e016b78be45a7af883b09cf1f79387a8e
SSDEEP:	3072:vqGlYGCqI9Z5JC6wiM+LhwlwqzIwgxBANC:yGDW9ZXCdvdKqzIg
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Vy.f.....................4........... ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large strings	System Summary
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading	Replication Through Removable Media
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains strange resources	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\hfKx2T5IfT.exe

"C:\Users\user\Desktop\hfKx2T5IfT.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7656
Target ID:	0
Parent PID:	4056
Name:	hfKx2T5IfT.exe
Path:	C:\Users\user\Desktop\hfKx2T5IfT.exe
Commandline:	"C:\Users\user\Desktop\hfKx2T5IfT.exe"
Size:	126464
MD5:	61AE4AEA70D5E2C89C5F4C77453A158A
Time:	04:32:40
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	155648
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\hfKx2T5IfT.exe" "hfKx2T5IfT.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7760
Target ID:	2
Parent PID:	7656
Name:	netsh.exe
Path:	C:\Windows\System32\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\hfKx2T5IfT.exe" "hfKx2T5IfT.exe" ENABLE
Size:	96768
MD5:	6F1E6DD688818BC3D1391D0CC7D597EB
Time:	04:32:47
Date:	25/09/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff698250000
Modulesize:	147456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7772
Target ID:	3
Parent PID:	7760
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:32:47
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

unknown

Details

Name:	https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\hfKx2T5IfT.exe
Source:	hfKx2T5IfT.exe, 00000000.00000002.3776937888.0000000003331000.00000004.00000800.00020000.00000000.sdmp, hfKx2T5IfT.exe, 00000000.00000002.3776545983.00000000013B0000.00000004.08000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

19.ip.gl.ply.gg

147.185.221.19

Details

Name:	19.ip.gl.ply.gg
IP:	147.185.221.19
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.19

19.ip.gl.ply.gg

United States

Details

IP:	147.185.221.19
TargetID:	0
Current Path:	C:\Users\user\Desktop\hfKx2T5IfT.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	19.ip.gl.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Memdumps

Base Address

Regiontype

Protect

Malicious

3331000

trusted library allocation

page read and write

13B0000

trusted library section

page read and write

1874BD11000

heap

page read and write

1874BD81000

heap

page read and write

18749DB8000

heap

page read and write

BE0000

unkown

page readonly

18749E0E000

heap

page read and write

1874BD20000

heap

page read and write

5ED2EFE000

stack

page read and write

1874BDCA000

heap

page read and write

1874BDD3000

heap

page read and write

18749E09000

heap

page read and write

1874BDD3000

heap

page read and write

1874B848000

heap

page read and write

1874BD10000

heap

page read and write

18749E20000

heap

page read and write

18749E29000

heap

page read and write

18749D98000

heap

page read and write

C00000

unkown

page readonly

18749E20000

heap

page read and write

7FFAAC4AA000

trusted library allocation

page execute and read and write

1874BDFE000

heap

page read and write

7FFAAC570000

trusted library allocation

page execute and read and write

18749DE4000

heap

page read and write

18749E24000

heap

page read and write

18749E04000

heap

page read and write

1874BD6E000

heap

page read and write

1BC90000

trusted library section

page read and write

18749DDE000

heap

page read and write

18749D83000

heap

page read and write

1874BDC9000

heap

page read and write

D44000

stack

page read and write

18749E04000

heap

page read and write

18749D9B000

heap

page read and write

1874B84F000

heap

page read and write

1874B84A000

heap

page read and write

1874BD25000

heap

page read and write

1874BD22000

heap

page read and write

1BC0D000

stack

page read and write

18749E08000

heap

page read and write

18749E04000

heap

page read and write

18749E0F000

heap

page read and write

1874BDCD000

heap

page read and write

1874BD42000

heap

page read and write

18749E09000

heap

page read and write

1874BDE7000

heap

page read and write

18749D49000

heap

page read and write

18749E08000

heap

page read and write

18749D30000

heap

page read and write

18749E04000

heap

page read and write

1874BDBA000

heap

page read and write

18749DA1000

heap

page read and write

18749E15000

heap

page read and write

18749E25000

heap

page read and write

1874BD82000

heap

page read and write

18749E13000

heap

page read and write

18749E2C000

heap

page read and write

18749E23000

heap

page read and write

13E3000

heap

page read and write

5ED2CFE000

stack

page read and write

18749DDD000

heap

page read and write

18749DB9000

heap

page read and write

18749E04000

heap

page read and write

1C1E0000

heap

page read and write

D90000

heap

page read and write

13D3000

heap

page read and write

18749D96000

heap

page read and write

7FFB1E0F6000

unkown

page readonly

1874BDB6000

heap

page read and write

1874BD41000

heap

page read and write

18749DA7000

heap

page read and write

1874BD6E000

heap

page read and write

1BCE0000

heap

page read and write

18749E04000

heap

page read and write

1874BD11000

heap

page read and write

1874BD81000

heap

page read and write

1874BD73000

heap

page read and write

18749DDC000

heap

page read and write

18749D8F000

heap

page read and write

1874BD1E000

heap

page read and write

18749DDC000

heap

page read and write

DE0000

heap

page read and write

1874BD1D000

heap

page read and write

18749E08000

heap

page read and write

18749DDC000

heap

page read and write

1874BDDF000

heap

page read and write

11D2000

heap

page read and write

10E0000

heap

page read and write

18749DDC000

heap

page read and write

1874BDA9000

heap

page read and write

1380000

trusted library allocation

page read and write

1740000

heap

page execute and read and write

5ED2DFD000

unkown

page read and write

7FFAAC522000

trusted library allocation

page read and write

18749E0E000

heap

page read and write

18749DB9000

heap

page read and write

18749DA7000

heap

page read and write

18749DDC000

heap

page read and write

18749DE5000

heap

page read and write

18749E1E000

heap

page read and write

1874BD1C000

heap

page read and write

18749E23000

heap

page read and write

18749D87000

heap

page read and write

13337000

trusted library allocation

page read and write

7FFAAC530000

trusted library allocation

page execute and read and write

1400000

heap

page read and write

18749E05000

heap

page read and write

18749E08000

heap

page read and write

7FFAAC413000

trusted library allocation

page execute and read and write

11B7000

heap

page read and write

18749E20000

heap

page read and write

18749E12000

heap

page read and write

18749D86000

heap

page read and write

7FFAAC3E2000

trusted library allocation

page execute and read and write

18749E15000

heap

page read and write

1C140000

heap

page read and write

BE0000

unkown

page readonly

18749E08000

heap

page read and write

18749DB8000

heap

page read and write

1874BD1D000

heap

page read and write

18749DDC000

heap

page read and write

18749E04000

heap

page read and write

1874BDB6000

heap

page read and write

18749E0A000

heap

page read and write

7FFAAC40F000

trusted library allocation

page execute and read and write

1874BDA9000

heap

page read and write

1B390000

trusted library allocation

page read and write

1874BD1D000

heap

page read and write

18749E06000

heap

page read and write

33E4000

trusted library allocation

page read and write

18749E0D000

heap

page read and write

18749DDD000

heap

page read and write

18749E21000

heap

page read and write

1725000

stack

page read and write

18749E05000

heap

page read and write

18749DA1000

heap

page read and write

28000

trusted library allocation

page read and write

18749E04000

heap

page read and write

115A000

heap

page read and write

DA0000

heap

page read and write

18749DDC000

heap

page read and write

18749DDE000

heap

page read and write

1874BD19000

heap

page read and write

18749E0E000

heap

page read and write

18749E08000

heap

page read and write

7FFAAC4B0000

trusted library allocation

page read and write

1874BDCA000

heap

page read and write

7FFAAC580000

trusted library allocation

page execute and read and write

1874BD11000

heap

page read and write

18749DDC000

heap

page read and write

1555000

heap

page read and write

13335000

trusted library allocation

page read and write

1874B85D000

heap

page read and write

18749D84000

heap

page read and write

18749DDC000

heap

page read and write

18749E04000

heap

page read and write

18749D99000

heap

page read and write

18749DDD000

heap

page read and write

18749E08000

heap

page read and write

18749DB8000

heap

page read and write

7FFB1E0E1000

unkown

page execute read

18749E23000

heap

page read and write

18749DE3000

heap

page read and write

18749E04000

heap

page read and write

33AD000

trusted library allocation

page read and write

1874BDC9000

heap

page read and write

1874BD1D000

heap

page read and write

18749E04000

heap

page read and write

18749D92000

heap

page read and write

18749E10000

heap

page read and write

18749DF0000

heap

page read and write

1874BDD5000

heap

page read and write

18749DA2000

heap

page read and write

18749E04000

heap

page read and write

18749E20000

heap

page read and write

18749E12000

heap

page read and write

1874B970000

heap

page read and write

18749E04000

heap

page read and write

1874B840000

heap

page read and write

7FFB1E100000

unkown

page read and write

1874B854000

heap

page read and write

18749DF0000

heap

page read and write

18749D9B000

heap

page read and write

7FFAAC4BD000

trusted library allocation

page execute and read and write

18749D8E000

heap

page read and write

1874BD1C000

heap

page read and write

11D6000

heap

page read and write

18749DA7000

heap

page read and write

18749E09000

heap

page read and write

18749DF0000

heap

page read and write

13331000

trusted library allocation

page read and write

18749D7C000

heap

page read and write

7FFB1E105000

unkown

page readonly

18749E04000

heap

page read and write

1874BD41000

heap

page read and write

1BA04000

heap

page read and write

DC0000

heap

page read and write

20000

trusted library allocation

page read and write

5ED2CEE000

stack

page read and write

1874BD1C000

heap

page read and write

18749CB0000

heap

page read and write

18749E1B000

heap

page read and write

1874BD19000

heap

page read and write

18749D96000

heap

page read and write

1BEDE000

stack

page read and write

18749D99000

heap

page read and write

18749E28000

heap

page read and write

1874B85D000

heap

page read and write

1874BDD0000

heap

page read and write

18749DB8000

heap

page read and write

18749DB8000

heap

page read and write

18749DB9000

heap

page read and write

18749DDC000

heap

page read and write

18749E05000

heap

page read and write

7FF430080000

trusted library allocation

page execute and read and write

18749DF0000

heap

page read and write

1874BDDF000

heap

page read and write

18749C90000

heap

page read and write

1874BDA9000

heap

page read and write

114A000

heap

page read and write

7FFAAC3F2000

trusted library allocation

page execute and read and write

7FF430070000

trusted library allocation

page execute and read and write

7FFAAC3EA000

trusted library allocation

page execute and read and write

18749E0E000

heap

page read and write

18749E20000

heap

page read and write

18749DB8000

heap

page read and write

7FFAAC4B5000

trusted library allocation

page read and write

1874BD25000

heap

page read and write

7FFB1E0E0000

unkown

page readonly

18749DF0000

heap

page read and write

1874B843000

heap

page read and write

120C000

heap

page read and write

1874BD81000

heap

page read and write

5ED32FF000

stack

page read and write

18749DA7000

heap

page read and write

7FFAAC444000

trusted library allocation

page execute and read and write

7FFB1E102000

unkown

page readonly

1874BD1E000

heap

page read and write

1550000

heap

page read and write

18749DA7000

heap

page read and write

1874BDCE000

heap

page read and write

18749C80000

heap

page read and write

7FFAAC4A2000

trusted library allocation

page execute and read and write

1874BD81000

heap

page read and write

1874BD6E000

heap

page read and write

1405000

heap

page read and write

18749DA7000

heap

page read and write

18749E16000

heap

page read and write

18749DA4000

heap

page read and write

1874BD73000

heap

page read and write

7FFAAC590000

trusted library allocation

page execute and read and write

18749D25000

heap

page read and write

BE2000

unkown

page readonly

1874BD41000

heap

page read and write

18749D8E000

heap

page read and write

18749D20000

heap

page read and write

7FFAAC400000

trusted library allocation

page read and write

18749E1B000

heap

page read and write

18749DDC000

heap

page read and write

1874BD1E000

heap

page read and write

18749E0E000

heap

page read and write

33FE000

trusted library allocation

page read and write

18749DDC000

heap

page read and write

1874BDCC000

heap

page read and write

18749E15000

heap

page read and write

1874BDDE000

heap

page read and write

1874BD16000

heap

page read and write

1120000

heap

page read and write

18749DA7000

heap

page read and write

18749DDC000

heap

page read and write

2FEE000

stack

page read and write

18749D86000

heap

page read and write

1874BD20000

heap

page read and write

18749E0C000

heap

page read and write

18749E0F000

heap

page read and write

18749E26000

heap

page read and write

1874BDCB000

heap

page read and write

18749E0C000

heap

page read and write

1874BD1E000

heap

page read and write

1874BD25000

heap

page read and write

18749DDC000

heap

page read and write

1BCF2000

heap

page read and write

7FFAAC3F0000

trusted library allocation

page read and write

5ED31FE000

stack

page read and write

18749DDC000

heap

page read and write

1874BDD7000

heap

page read and write

18749D8E000

heap

page read and write

13E6000

heap

page read and write

18749DB8000

heap

page read and write

1874BD1E000

heap

page read and write

18749E04000

heap

page read and write

7FFAAC526000

trusted library allocation

page read and write

1BCB0000

heap

page execute and read and write

18749DB8000

heap

page read and write

16EA000

stack

page read and write

1874BD73000

heap

page read and write

18749D81000

heap

page read and write

18749E04000

heap

page read and write

1874B856000

heap

page read and write

18749E08000

heap

page read and write

1874BD41000

heap

page read and write

18749E28000

heap

page read and write

18749DDC000

heap

page read and write

1874BDBA000

heap

page read and write

13D0000

heap

page read and write

18749D45000

heap

page read and write

1874BDD0000

heap

page read and write

18749E10000

heap

page read and write

18749D8E000

heap

page read and write

18749DDC000

heap

page read and write

18749E21000

heap

page read and write

7FFAAC4BA000

trusted library allocation

page execute and read and write

18749E1B000

heap

page read and write

18749E1B000

heap

page read and write

112C000

heap

page read and write

1874BDCE000

heap

page read and write

18749E04000

heap

page read and write

1874BD1E000

heap

page read and write

18749DA7000

heap

page read and write

18749DF0000

heap

page read and write

18749E2A000

heap

page read and write

18749E18000

heap

page read and write

18749E0F000

heap

page read and write

18749E04000

heap

page read and write

1874BDFE000

heap

page read and write

1874B850000

heap

page read and write

1874B830000

heap

page read and write

18749E23000

heap

page read and write

18749E04000

heap

page read and write

13E0000

heap

page read and write

1874BD25000

heap

page read and write

131E000

stack

page read and write

1874BD8B000

heap

page read and write

18749E23000

heap

page read and write

33D6000

trusted library allocation

page read and write

11D4000

heap

page read and write

1874BDDE000

heap

page read and write

18749DB9000

heap

page read and write

18749DDC000

heap

page read and write

1874BD11000

heap

page read and write

1874BD17000

heap

page read and write

5ED2CF1000

stack

page read and write

18749DB8000

heap

page read and write

18749E2C000

heap

page read and write

18749DF0000

heap

page read and write

18749DBB000

heap

page read and write

7FFAAC4E2000

trusted library allocation

page execute and read and write

1743000

heap

page execute and read and write

11ED000

heap

page read and write

1874BDA1000

heap

page read and write

1874BD62000

heap

page read and write

18749E05000

heap

page read and write

There are 342 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
hfKx2T5IfT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReporthfKx2T5IfT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
hfKx2T5IfT.exe