Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5680
Target ID:	0
Parent PID:	1028
Name:	SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe"
Size:	4907008
MD5:	D46EB1527289A7937A29B51C5152C211
Time:	02:34:17
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6d0000
Modulesize:	4952064
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected GhostRat	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Nitol	Stealing of Sensitive Information, Remote Access Functionality
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

119.91.152.151

Details

Name:	119.91.152.151
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Creates mutexes	System Summary

http://114.132.64.209:9652/mstsc.exe

114.132.64.209

Details

Name:	http://114.132.64.209:9652/mstsc.exe
IP:	114.132.64.209
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://114.132.64.209/

unknown

http://114.132.64.209:9652/mstsc.exeTx

unknown

http://114.132.64.209:9652/mstsc.exeC:

unknown

Details

Name:	http://114.132.64.209:9652/mstsc.exeC:
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Source:	SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe, 00000000.00000002.3459358578.0000000000992000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe, 00000000.00000002.3460334627.0000000010015000.00000002.00001000.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

119.91.152.151

unknown

China

Details

IP:	119.91.152.151
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Country:	China
Countrycode:	CHN
ASN number:	24143
ASN name:	CNNIC-QCN-APQingdaoCableTVNetworkCenterCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Creates mutexes	System Summary

114.132.64.209

unknown

China

Details

IP:	114.132.64.209
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe
Country:	China
Countrycode:	CHN
ASN number:	56046
ASN name:	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rsymwe miusskwq

ConnectGroup

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rsymwe miusskwq

MarkTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum

Version

Memdumps

Base Address

Regiontype

Protect

Malicious

992000

unkown

page read and write

10015000

direct allocation

page readonly

300E000

stack

page read and write

1208000

heap

page read and write

349E000

direct allocation

page read and write

10000000

direct allocation

page read and write

426E000

stack

page read and write

9E0000

unkown

page read and write

3DDF000

stack

page read and write

40DC000

stack

page read and write

351B000

stack

page read and write

FC0000

heap

page read and write

3781000

heap

page read and write

92A000

unkown

page readonly

308C000

stack

page read and write

3780000

heap

page read and write

11BE000

heap

page read and write

FC6000

heap

page read and write

411E000

stack

page read and write

9E7000

unkown

page readonly

6D0000

unkown

page readonly

376F000

stack

page read and write

92A000

unkown

page readonly

2CA0000

heap

page read and write

3FDF000

stack

page read and write

117A000

heap

page read and write

11E1000

heap

page read and write

2EC0000

heap

page read and write

F90000

heap

page read and write

2D20000

heap

page read and write

3EDE000

stack

page read and write

10001000

direct allocation

page execute read

1214000

heap

page read and write

2CE0000

heap

page read and write

9D8000

unkown

page write copy

421E000

stack

page read and write

6D1000

unkown

page execute read

9E7000

unkown

page readonly

1170000

heap

page read and write

11B1000

heap

page read and write

3094000

heap

page read and write

3090000

heap

page read and write

376D000

stack

page read and write

117E000

heap

page read and write

1150000

heap

page read and write

2CE3000

heap

page read and write

6D0000

unkown

page readonly

1160000

heap

page read and write

2CC0000

heap

page read and write

F80000

heap

page read and write

30A0000

direct allocation

page read and write

992000

unkown

page write copy

1001B000

direct allocation

page read and write

2D27000

heap

page read and write

F39000

stack

page read and write

FC7000

heap

page read and write

3620000

heap

page read and write

366C000

stack

page read and write

10020000

direct allocation

page readonly

361B000

stack

page read and write

436F000

stack

page read and write

E3B000

stack

page read and write

2E9E000

stack

page read and write

9D8000

unkown

page read and write

11F5000

heap

page read and write

3097000

heap

page read and write

304E000

stack

page read and write

6D1000

unkown

page execute read

3880000

trusted library allocation

page read and write

10021000

direct allocation

page read and write

There are 60 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11416.10977.exe