Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7656
Target ID:	0
Parent PID:	4084
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1853952
MD5:	FB6E05D5C008F119EFCDEEFE60D6E924
Time:	06:52:58
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe10000
Modulesize:	6967296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://185.215.113.37/

185.215.113.37

Details

Name:	http://185.215.113.37/
IP:	185.215.113.37
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37

unknown

Details

Name:	http://185.215.113.37
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.php

185.215.113.37

Details

Name:	http://185.215.113.37/e2b1563c6670f193.php
IP:	185.215.113.37
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.phpo

unknown

http://185.215.113.37/e2b1563c6670f193.phpT

unknown

http://185.215.113.37/ws

unknown

http://185.215.113.37/e2b1563c6670f193.php8

unknown

IPs

Domain

Country

Malicious

185.215.113.37

unknown

Portugal

Details

IP:	185.215.113.37
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

8DE000

heap

page read and write

E11000

unkown

page execute and read and write

4E20000

direct allocation

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

1CF2E000

stack

page read and write

49A1000

heap

page read and write

850000

heap

page read and write

884000

heap

page read and write

884000

heap

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

399E000

stack

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

1312000

unkown

page execute and read and write

DE0000

direct allocation

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

EF2000

unkown

page execute and read and write

3BDF000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

3F9F000

stack

page read and write

884000

heap

page read and write

44DE000

stack

page read and write

884000

heap

page read and write

14B2000

unkown

page execute and write copy

49A1000

heap

page read and write

880000

heap

page read and write

884000

heap

page read and write

884000

heap

page read and write

1CDAF000

stack

page read and write

105A000

unkown

page execute and read and write

49A1000

heap

page read and write

345F000

stack

page read and write

DE0000

direct allocation

page read and write

884000

heap

page read and write

475E000

stack

page read and write

3ADE000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

DDE000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

11FC000

unkown

page execute and read and write

49A1000

heap

page read and write

939000

heap

page read and write

DE0000

direct allocation

page read and write

1D2FE000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

884000

heap

page read and write

12FA000

unkown

page execute and read and write

884000

heap

page read and write

D1E000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

2F9E000

stack

page read and write

4FA0000

direct allocation

page execute and read and write

884000

heap

page read and write

3C1E000

stack

page read and write

49A1000

heap

page read and write

ADE000

stack

page read and write

449F000

stack

page read and write

49A1000

heap

page read and write

335E000

stack

page read and write

BDE000

stack

page read and write

4F5F000

stack

page read and write

3E5F000

stack

page read and write

4FB0000

direct allocation

page execute and read and write

439E000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

DE0000

direct allocation

page read and write

49A1000

heap

page read and write

1CCAE000

stack

page read and write

91C000

heap

page read and write

C1E000

stack

page read and write

371E000

stack

page read and write

30DE000

stack

page read and write

36DF000

stack

page read and write

49A5000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

411E000

stack

page read and write

385E000

stack

page read and write

425E000

stack

page read and write

1312000

unkown

page execute and write copy

1D17F000

stack

page read and write

922000

heap

page read and write

884000

heap

page read and write

321E000

stack

page read and write

49A1000

heap

page read and write

309F000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

2F5F000

stack

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

884000

heap

page read and write

395F000

stack

page read and write

955000

heap

page read and write

884000

heap

page read and write

1CDEE000

stack

page read and write

1313000

unkown

page execute and write copy

884000

heap

page read and write

D9B000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

4E20000

direct allocation

page read and write

8D0000

heap

page read and write

49A1000

heap

page read and write

49C0000

heap

page read and write

3D1F000

stack

page read and write

EC1000

unkown

page execute and read and write

3E9E000

stack

page read and write

860000

heap

page read and write

331F000

stack

page read and write

1CEEF000

stack

page read and write

49A1000

heap

page read and write

DE0000

direct allocation

page read and write

49A1000

heap

page read and write

942000

heap

page read and write

1304000

unkown

page execute and read and write

49A1000

heap

page read and write

31DF000

stack

page read and write

49A0000

heap

page read and write

421F000

stack

page read and write

4FA0000

direct allocation

page execute and read and write

884000

heap

page read and write

D5E000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

ECD000

unkown

page execute and read and write

12D8000

unkown

page execute and read and write

49A1000

heap

page read and write

884000

heap

page read and write

1D3FC000

stack

page read and write

1D2BE000

stack

page read and write

4F70000

direct allocation

page execute and read and write

884000

heap

page read and write

884000

heap

page read and write

471F000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

4FC000

stack

page read and write

1D07E000

stack

page read and write

3FDD000

stack

page read and write

359F000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

461E000

stack

page read and write

5F5000

stack

page read and write

349E000

stack

page read and write

40DF000

stack

page read and write

49A1000

heap

page read and write

8DA000

heap

page read and write

3A9F000

stack

page read and write

927000

heap

page read and write

DFB000

heap

page read and write

884000

heap

page read and write

489E000

stack

page read and write

DE0000

direct allocation

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

8C0000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

E11000

unkown

page execute and write copy

E10000

unkown

page readonly

DF7000

heap

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

E10000

unkown

page read and write

884000

heap

page read and write

DE0000

direct allocation

page read and write

49A1000

heap

page read and write

4E20000

direct allocation

page read and write

1D02E000

stack

page read and write

49B0000

heap

page read and write

4F80000

direct allocation

page execute and read and write

3D5E000

stack

page read and write

14B1000

unkown

page execute and read and write

49A1000

heap

page read and write

884000

heap

page read and write

DE0000

direct allocation

page read and write

49A1000

heap

page read and write

DE0000

direct allocation

page read and write

DE0000

direct allocation

page read and write

DF0000

heap

page read and write

49A1000

heap

page read and write

DE0000

direct allocation

page read and write

884000

heap

page read and write

DE0000

direct allocation

page read and write

2D5F000

stack

page read and write

49A1000

heap

page read and write

381F000

stack

page read and write

884000

heap

page read and write

485F000

stack

page read and write

49A1000

heap

page read and write

49A1000

heap

page read and write

2E5F000

stack

page read and write

4AA0000

trusted library allocation

page read and write

DE0000

direct allocation

page read and write

884000

heap

page read and write

49A1000

heap

page read and write

45DF000

stack

page read and write

5FF000

stack

page read and write

4FD0000

direct allocation

page execute and read and write

4FC0000

direct allocation

page execute and read and write

884000

heap

page read and write

106E000

unkown

page execute and read and write

DE0000

direct allocation

page read and write

35DE000

stack

page read and write

499F000

stack

page read and write

884000

heap

page read and write

4F90000

direct allocation

page execute and read and write

4E00000

heap

page read and write

1D1BD000

stack

page read and write

435F000

stack

page read and write

4E5E000

stack

page read and write

49A1000

heap

page read and write

There are 224 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

IPs

Memdumps

IOC Report
file.exe