Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.840103659932688
Filename:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Filesize:	589312
MD5:	8825b50e377782c6c889c43998b31555
SHA1:	3d23cbc80c53b1fbf382e08d39ecf5f77d0d3419
SHA256:	aaad2261843429b4a8574c5c3fd1a80e2462fab4abdd1581eb4dacca34084882
SHA512:	864e8c8ba8d279e8764a9411914d95da99526104c9b07ae92c36b0ed1c7a9b34fcd212a622429a23313af9e61854f5c28bb2d71778d9fd1614f1c7325560e81b
SSDEEP:	12288:VU01JG3ZdnU/XhUgzPma5dt6NCttGpXQ+apuaFxnkeZe1tdtTJ:VXPGrnUZUsOa5dtmC4Q+A7hZe1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^a...............0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Security Software Discovery System Information Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7832
Target ID:	0
Parent PID:	2592
Name:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"
Size:	589312
MD5:	8825B50E377782C6C889C43998B31555
Time:	06:23:23
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6f0000
Modulesize:	614400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7996
Target ID:	3
Parent PID:	7832
Name:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"
Size:	589312
MD5:	8825B50E377782C6C889C43998B31555
Time:	06:23:24
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x180000
Modulesize:	614400
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"

Details

Is windows:	false
Is dropped:	false
PID:	8004
Target ID:	4
Parent PID:	7832
Name:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"
Size:	589312
MD5:	8825B50E377782C6C889C43998B31555
Time:	06:23:24
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000
Modulesize:	614400
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"

Details

Is windows:	false
Is dropped:	false
PID:	8012
Target ID:	5
Parent PID:	7832
Name:	SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe"
Size:	589312
MD5:	8825B50E377782C6C889C43998B31555
Time:	06:23:24
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb40000
Modulesize:	614400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

www.awlc7038.vip/b31a/

Details

Name:	www.awlc7038.vip/b31a/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

3BE7000

trusted library allocation

page read and write

A02D000

stack

page read and write

2D8E000

trusted library allocation

page read and write

71D2000

trusted library allocation

page read and write

4C1C000

stack

page read and write

52D0000

trusted library allocation

page execute and read and write

29B0000

heap

page read and write

FE0000

heap

page read and write

29A0000

trusted library allocation

page execute and read and write

D53000

trusted library allocation

page read and write

127E000

stack

page read and write

F6E000

stack

page read and write

52E0000

heap

page read and write

4F60000

trusted library allocation

page read and write

52C0000

heap

page read and write

53FE000

stack

page read and write

15A0000

direct allocation

page execute and read and write

A06D000

stack

page read and write

4F90000

trusted library allocation

page read and write

B80000

heap

page read and write

5500000

heap

page read and write

D1E000

stack

page read and write

2AD6000

trusted library allocation

page read and write

D44000

trusted library allocation

page read and write

6E4E000

stack

page read and write

2A9B000

stack

page read and write

796E000

stack

page read and write

BC0000

heap

page read and write

108E000

stack

page read and write

18E8000

direct allocation

page execute and read and write

D9E000

heap

page read and write

550E000

heap

page read and write

5030000

heap

page read and write

5430000

heap

page read and write

2AD1000

trusted library allocation

page read and write

5400000

heap

page read and write

4FD0000

heap

page read and write

2AA0000

trusted library allocation

page read and write

2ACE000

trusted library allocation

page read and write

5410000

heap

page read and write

D72000

trusted library allocation

page read and write

D6A000

trusted library allocation

page execute and read and write

7ADE000

stack

page read and write

772E000

stack

page read and write

786E000

stack

page read and write

D90000

heap

page read and write

D7B000

trusted library allocation

page execute and read and write

70AA000

trusted library allocation

page read and write

5040000

trusted library section

page readonly

1230000

trusted library allocation

page read and write

5060000

heap

page read and write

CDE000

stack

page read and write

75EE000

stack

page read and write

70A0000

trusted library allocation

page read and write

E7A000

heap

page read and write

A3A000

stack

page read and write

4FF0000

trusted library allocation

page execute and read and write

F8E000

stack

page read and write

A334000

heap

page read and write

D77000

trusted library allocation

page execute and read and write

D66000

trusted library allocation

page execute and read and write

1060000

heap

page read and write

B90000

heap

page read and write

1851000

direct allocation

page execute and read and write

7F420000

trusted library allocation

page execute and read and write

D4D000

trusted library allocation

page execute and read and write

2B10000

heap

page execute and read and write

1230000

heap

page read and write

D50000

trusted library allocation

page read and write

4FE0000

trusted library allocation

page read and write

D43000

trusted library allocation

page execute and read and write

76EF000

stack

page read and write

186D000

direct allocation

page execute and read and write

782F000

stack

page read and write

6FF0000

trusted library section

page read and write

299E000

stack

page read and write

DD1000

heap

page read and write

A66E000

stack

page read and write

6CF0000

trusted library allocation

page read and write

6BD0000

trusted library section

page read and write

2AB0000

trusted library allocation

page read and write

5000000

trusted library allocation

page read and write

16C9000

direct allocation

page execute and read and write

1287000

heap

page read and write

A330000

heap

page read and write

A56D000

stack

page read and write

3B21000

trusted library allocation

page read and write

173E000

direct allocation

page execute and read and write

6BE0000

trusted library allocation

page read and write

1866000

direct allocation

page execute and read and write

2B00000

trusted library allocation

page read and write

6D00000

trusted library allocation

page execute and read and write

5050000

heap

page read and write

4F70000

trusted library allocation

page read and write

29C8000

trusted library allocation

page read and write

16CD000

direct allocation

page execute and read and write

3B29000

trusted library allocation

page read and write

523B000

stack

page read and write

A230000

heap

page read and write

3D4A000

trusted library allocation

page read and write

2AE2000

trusted library allocation

page read and write

1280000

heap

page read and write

5600000

trusted library allocation

page read and write

52F0000

heap

page execute and read and write

FC0000

heap

page read and write

B37000

stack

page read and write

6D4E000

stack

page read and write

4F65000

trusted library allocation

page read and write

2ADD000

trusted library allocation

page read and write

D5D000

trusted library allocation

page execute and read and write

A22D000

stack

page read and write

4FE2000

trusted library allocation

page read and write

E6D000

stack

page read and write

2AF0000

trusted library allocation

page read and write

D40000

trusted library allocation

page read and write

2B21000

trusted library allocation

page read and write

5063000

heap

page read and write

2ABB000

trusted library allocation

page read and write

A52F000

stack

page read and write

2C18000

trusted library allocation

page read and write

D30000

trusted library allocation

page read and write

709E000

stack

page read and write

E7E000

heap

page read and write

6F2000

unkown

page readonly

2BC6000

trusted library allocation

page read and write

D80000

heap

page read and write

52E5000

heap

page read and write

6F0000

unkown

page readonly

There are 119 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.16719.9062.exe