Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.83482913122869
Filename:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Filesize:	694272
MD5:	48977f1b641a9a3d88329ac470152381
SHA1:	d0eb9734f9bdeb6ab50ccad4342f92f4d405d2f0
SHA256:	1c829d80809fb2b5f7c2b40cf05064765bf237f655c9ca557e2d5a01f52b4bc6
SHA512:	8f0e68b0b489a5aeb363641dc85408e8358a2fbd822d62cf494ce670294fe8f84d8c0ae2baa6e80c3099b3e37a8b35501b87eac88235e52c935908a0d565975b
SSDEEP:	12288:QkJZPIBQBNWZEV6fewCe5wHdiFNCghayBN9YlXOx5eh8bQb:Q5iNiEVkAe5wMFNChly5BI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#...............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Contains functionality to capture screen (.Net source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.379552885213346
Encrypted:	false
Ssdeep:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//MM0Uyus:fLHxvCsIfA2KRHmOugA1s
Size:	2232
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cspmtibh.w1g.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cspmtibh.w1g.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_cspmtibh.w1g.ps1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqruusq.dbt.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqruusq.dbt.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_ghqruusq.dbt.ps1.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwyyloqs.uxv.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwyyloqs.uxv.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_wwyyloqs.uxv.psm1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xq2qdmiu.t02.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xq2qdmiu.t02.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_xq2qdmiu.t02.psm1.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7412
Target ID:	0
Parent PID:	4056
Name:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Size:	694272
MD5:	48977F1B641A9A3D88329AC470152381
Time:	15:54:16
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x130000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7584
Target ID:	3
Parent PID:	7412
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	15:54:17
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7600
Target ID:	5
Parent PID:	7412
Name:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Size:	694272
MD5:	48977F1B641A9A3D88329AC470152381
Time:	15:54:17
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7592
Target ID:	4
Parent PID:	7584
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:54:17
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7820
Target ID:	6
Parent PID:	748
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	15:54:20
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff7fb730000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://aborters.duckdns.org:8081

unknown

http://anotherarmy.dns.army:8081

unknown

https://www.office.com/

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://api.telegram.org

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

https://www.office.com/lB

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://checkip.dyndns.org

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

149.154.167.220

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://api.telegram.org/bot/sendMessage?chat_id=&text=

unknown

https://chrome.google.com/webstore?hl=en

unknown

https://www.ecosia.org/newtab/

unknown

http://varders.kozow.com:8081

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://checkip.dyndns.org/

193.122.6.168

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://checkip.dyndns.org/q

unknown

https://chrome.google.com/webstore?hl=enlB

unknown

https://reallyfreegeoip.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a

unknown

http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

time.windows.com

unknown

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	5
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	5
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Details

IP:	193.122.6.168
TargetID:	5
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3479000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

31F1000

trusted library allocation

page read and write

66DE000

heap

page read and write

4211000

trusted library allocation

page read and write

631000

heap

page read and write

6EB7000

trusted library allocation

page read and write

6D96000

trusted library allocation

page read and write

3388000

trusted library allocation

page read and write

6EE0000

trusted library allocation

page read and write

1DC000

unkown

page readonly

34FF000

trusted library allocation

page read and write

1680000

heap

page read and write

444F000

trusted library allocation

page read and write

346D000

trusted library allocation

page read and write

6DF0000

trusted library allocation

page execute and read and write

4A80000

trusted library allocation

page read and write

6E90000

trusted library allocation

page execute and read and write

67D0000

heap

page read and write

4970000

trusted library allocation

page read and write

13E0000

heap

page read and write

568D000

stack

page read and write

458F000

trusted library allocation

page read and write

7FE6000

trusted library allocation

page read and write

460C000

stack

page read and write

1420000

heap

page read and write

3587000

trusted library allocation

page read and write

329A000

trusted library allocation

page read and write

3094000

trusted library allocation

page read and write

70281000

unkown

page execute read

34F9000

trusted library allocation

page read and write

91F000

stack

page read and write

4E8E000

stack

page read and write

30B0000

trusted library allocation

page read and write

6EC0000

trusted library allocation

page read and write

6DE0000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

49D5000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page execute and read and write

5000000

trusted library allocation

page read and write

41FF000

trusted library allocation

page read and write

3071000

trusted library allocation

page read and write

6EB0000

trusted library allocation

page read and write

1683000

heap

page read and write

BE4E000

stack

page read and write

337D000

trusted library allocation

page read and write

3268000

trusted library allocation

page read and write

68D0000

heap

page read and write

447B000

trusted library allocation

page read and write

633000

heap

page read and write

3383000

trusted library allocation

page read and write

BC4E000

stack

page read and write

1410000

trusted library allocation

page read and write

1330000

heap

page read and write

49C0000

trusted library allocation

page read and write

329E000

trusted library allocation

page read and write

32AA000

trusted library allocation

page read and write

5940000

heap

page execute and read and write

4A50000

trusted library allocation

page read and write

4204000

trusted library allocation

page read and write

5620000

heap

page read and write

4336000

trusted library allocation

page read and write

34F1000

trusted library allocation

page read and write

42EA000

trusted library allocation

page read and write

32AE000

trusted library allocation

page read and write

6AB000

heap

page read and write

4A70000

trusted library allocation

page execute and read and write

63E000

heap

page read and write

304C000

stack

page read and write

4974000

trusted library allocation

page read and write

246F000

stack

page read and write

B9C000

stack

page read and write

952E000

stack

page read and write

C57E000

stack

page read and write

4507000

trusted library allocation

page read and write

AA4000

trusted library allocation

page read and write

42D1000

trusted library allocation

page read and write

345D000

trusted library allocation

page read and write

4AEB000

stack

page read and write

1412000

trusted library allocation

page read and write

AC0000

trusted library allocation

page read and write

34F4000

trusted library allocation

page read and write

A6F000

stack

page read and write

1690000

trusted library allocation

page execute and read and write

46A000

stack

page read and write

49B0000

trusted library allocation

page read and write

4A40000

heap

page read and write

3062000

trusted library allocation

page read and write

45CD000

trusted library allocation

page read and write

34FD000

trusted library allocation

page read and write

6A0E000

stack

page read and write

32B2000

trusted library allocation

page read and write

5770000

heap

page read and write

AC6000

trusted library allocation

page execute and read and write

4C60000

heap

page execute and read and write

34A0000

trusted library allocation

page read and write

4D80000

heap

page read and write

6BCE000

stack

page read and write

451D000

trusted library allocation

page read and write

33B5000

trusted library allocation

page read and write

7FC0000

trusted library allocation

page read and write

34E3000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

14E1000

heap

page read and write

3534000

trusted library allocation

page read and write

1457000

heap

page read and write

6F10000

heap

page read and write

AAD000

trusted library allocation

page execute and read and write

4AF0000

trusted library section

page readonly

4A60000

heap

page read and write

3503000

trusted library allocation

page read and write

BB0000

trusted library allocation

page read and write

324F000

trusted library allocation

page read and write

4478000

trusted library allocation

page read and write

ADB000

trusted library allocation

page execute and read and write

167E000

stack

page read and write

44A8000

trusted library allocation

page read and write

6C0E000

stack

page read and write

3379000

trusted library allocation

page read and write

5605000

heap

page read and write

4F60000

trusted library allocation

page read and write

AD2000

trusted library allocation

page read and write

B5E000

stack

page read and write

BC8E000

stack

page read and write

44F1000

trusted library allocation

page read and write

3264000

trusted library allocation

page read and write

626000

heap

page read and write

1187000

stack

page read and write

52EE000

stack

page read and write

32D8000

trusted library allocation

page read and write

4F50000

trusted library section

page read and write

4C40000

trusted library allocation

page execute and read and write

6DD0000

trusted library allocation

page execute and read and write

4316000

trusted library allocation

page read and write

4B00000

heap

page read and write

33AF000

trusted library allocation

page read and write

449B000

trusted library allocation

page read and write

5E0000

heap

page read and write

70280000

unkown

page readonly

2FF0000

trusted library allocation

page read and write

B00000

trusted library allocation

page execute and read and write

45D0000

trusted library allocation

page read and write

4996000

trusted library allocation

page read and write

5F0000

heap

page read and write

1350000

heap

page read and write

6DB0000

trusted library allocation

page execute and read and write

AA3000

trusted library allocation

page execute and read and write

30E0000

heap

page execute and read and write

13D3000

trusted library allocation

page execute and read and write

337B000

trusted library allocation

page read and write

6A4D000

stack

page read and write

347F000

trusted library allocation

page read and write

1417000

trusted library allocation

page execute and read and write

93A0000

trusted library section

page read and write

13D4000

trusted library allocation

page read and write

1449000

heap

page read and write

307D000

trusted library allocation

page read and write

6E00000

trusted library allocation

page execute and read and write

6D9A000

trusted library allocation

page read and write

3471000

trusted library allocation

page read and write

6DC0000

trusted library allocation

page read and write

ABD000

trusted library allocation

page execute and read and write

5BD0000

trusted library allocation

page read and write

457A000

trusted library allocation

page read and write

AD7000

trusted library allocation

page execute and read and write

34A6000

trusted library allocation

page read and write

44FE000

trusted library allocation

page read and write

11F0000

heap

page read and write

425C000

trusted library allocation

page read and write

6877000

heap

page read and write

C1FE000

stack

page read and write

13DD000

trusted library allocation

page execute and read and write

6E80000

trusted library allocation

page read and write

3242000

trusted library allocation

page read and write

5B8E000

stack

page read and write

24C2000

trusted library allocation

page read and write

AC2000

trusted library allocation

page read and write

44B2000

trusted library allocation

page read and write

43A9000

trusted library allocation

page read and write

3561000

trusted library allocation

page read and write

BC7000

heap

page read and write

690E000

stack

page read and write

BC0000

heap

page read and write

44AD000

trusted library allocation

page read and write

49A2000

trusted library allocation

page read and write

4F75000

heap

page read and write

347B000

trusted library allocation

page read and write

13C0000

trusted library allocation

page read and write

1455000

heap

page read and write

434C000

trusted library allocation

page read and write

63A000

heap

page read and write

43BE000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page execute and read and write

AB0000

trusted library allocation

page read and write

31EF000

stack

page read and write

5D0000

heap

page read and write

306A000

trusted library allocation

page read and write

6DA0000

trusted library allocation

page read and write

7029D000

unkown

page read and write

6A8E000

stack

page read and write

BA0000

heap

page read and write

7EE80000

trusted library allocation

page execute and read and write

C1BF000

stack

page read and write

13F0000

trusted library allocation

page read and write

33A7000

trusted library allocation

page read and write

B10000

heap

page execute and read and write

358A000

trusted library allocation

page read and write

499D000

trusted library allocation

page read and write

130000

unkown

page readonly

43FF000

trusted library allocation

page read and write

6E20000

trusted library allocation

page execute and read and write

420B000

trusted library allocation

page read and write

C47E000

stack

page read and write

3050000

trusted library allocation

page read and write

1356000

heap

page read and write

4F4E000

stack

page read and write

1428000

heap

page read and write

AA0000

trusted library allocation

page read and write

24CD000

trusted library allocation

page read and write

2471000

trusted library allocation

page read and write

4A00000

trusted library allocation

page read and write

33AB000

trusted library allocation

page read and write

498E000

trusted library allocation

page read and write

33BA000

trusted library allocation

page read and write

4A63000

heap

page read and write

358C000

trusted library allocation

page read and write

3581000

trusted library allocation

page read and write

35B8000

trusted library allocation

page read and write

4991000

trusted library allocation

page read and write

55D0000

heap

page read and write

1630000

trusted library allocation

page read and write

70296000

unkown

page readonly

4C50000

trusted library allocation

page read and write

34F7000

trusted library allocation

page read and write

33FA000

trusted library allocation

page read and write

161E000

stack

page read and write

C33E000

stack

page read and write

49D0000

trusted library allocation

page read and write

681D000

heap

page read and write

45A2000

trusted library allocation

page read and write

567000

stack

page read and write

6C8E000

stack

page read and write

AF0000

trusted library allocation

page read and write

6EA0000

trusted library allocation

page read and write

3090000

trusted library allocation

page read and write

1310000

heap

page read and write

3375000

trusted library allocation

page read and write

1406000

trusted library allocation

page execute and read and write

13D0000

trusted library allocation

page read and write

3590000

trusted library allocation

page read and write

32FB000

trusted library allocation

page read and write

305B000

trusted library allocation

page read and write

49E0000

trusted library allocation

page read and write

13FD000

trusted library allocation

page execute and read and write

151A000

heap

page read and write

7FB2000

trusted library allocation

page read and write

C43E000

stack

page read and write

613000

heap

page read and write

16A0000

heap

page read and write

A90000

trusted library allocation

page read and write

AB3000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

500F000

trusted library allocation

page read and write

441B000

trusted library allocation

page read and write

C6BC000

stack

page read and write

3463000

trusted library allocation

page read and write

3595000

trusted library allocation

page read and write

C2FE000

stack

page read and write

141B000

trusted library allocation

page execute and read and write

5005000

trusted library allocation

page read and write

BF4E000

stack

page read and write

95E000

stack

page read and write

325A000

trusted library allocation

page read and write

32A6000

trusted library allocation

page read and write

41F1000

trusted library allocation

page read and write

449F000

trusted library allocation

page read and write

72E000

stack

page read and write

7029F000

unkown

page readonly

5FE000

heap

page read and write

43FB000

trusted library allocation

page read and write

68D6000

heap

page read and write

3458000

trusted library allocation

page read and write

32A2000

trusted library allocation

page read and write

ACA000

trusted library allocation

page execute and read and write

132000

unkown

page readonly

3292000

trusted library allocation

page read and write

2F58000

trusted library allocation

page read and write

42AC000

trusted library allocation

page read and write

34AD000

trusted library allocation

page read and write

746000

heap

page read and write

3476000

trusted library allocation

page read and write

6D94000

trusted library allocation

page read and write

66D000

heap

page read and write

66D0000

heap

page read and write

6E10000

trusted library allocation

page execute and read and write

305E000

trusted library allocation

page read and write

4A52000

trusted library allocation

page read and write

55E0000

heap

page read and write

44A4000

trusted library allocation

page read and write

1402000

trusted library allocation

page read and write

6DAD000

trusted library allocation

page read and write

33F2000

trusted library allocation

page read and write

C0BE000

stack

page read and write

4FFE000

stack

page read and write

3076000

trusted library allocation

page read and write

3056000

trusted library allocation

page read and write

68CF000

stack

page read and write

3296000

trusted library allocation

page read and write

3000000

heap

page read and write

7FE0000

trusted library allocation

page read and write

C5BB000

stack

page read and write

42C2000

trusted library allocation

page read and write

497B000

trusted library allocation

page read and write

1089000

stack

page read and write

140A000

trusted library allocation

page execute and read and write

1415000

trusted library allocation

page execute and read and write

4219000

trusted library allocation

page read and write

4503000

trusted library allocation

page read and write

6D8F000

stack

page read and write

6C4E000

stack

page read and write

326D000

trusted library allocation

page read and write

4C30000

heap

page read and write

44AA000

trusted library allocation

page read and write

68F8000

heap

page read and write

6ACE000

stack

page read and write

4950000

heap

page read and write

610000

heap

page read and write

43D1000

trusted library allocation

page read and write

960000

heap

page read and write

34B3000

trusted library allocation

page read and write

5FB000

heap

page read and write

44EC000

trusted library allocation

page read and write

4430000

trusted library allocation

page read and write

44F7000

trusted library allocation

page read and write

4F70000

heap

page read and write

740000

heap

page read and write

130E000

stack

page read and write

30A0000

trusted library allocation

page read and write

73C0000

heap

page read and write

306E000

trusted library allocation

page read and write

There are 330 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe