Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

eFvQTTtxej.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.001131702860381
Filename:	eFvQTTtxej.exe
Filesize:	169984
MD5:	8a168f78a99617be9f29c3804bb3747f
SHA1:	ab481df52d157f5eb9862839eaee170397980e2b
SHA256:	4eb0b835d61c2be5e193c6a6aadb7952e6754ce8b65bb5d589c316537eef0ad8
SHA512:	1edce923a173c84a4c3f231216f633badb712f98157c20218880c3d472631ef8b9750fc91bda578830d1f32544527cf0c8f1c997f1f7d26b75f8288069552365
SSDEEP:	3072:gmXQN/L1mhktBszkTk0p4rgm/wUywhAVPPlEfpxKNPAe1SocbDbn5vZfzWb:gmXlQT7OrF/wUywh42fAPAMcbfdZf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..f................................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\eFvQTTtxej.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\eFvQTTtxej.exe.log
Category:	dropped
Dump:	eFvQTTtxej.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\eFvQTTtxej.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Client.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Client.exe
Category:	dropped
Dump:	Client.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\eFvQTTtxej.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.001131702860381
Encrypted:	false
Ssdeep:	3072:gmXQN/L1mhktBszkTk0p4rgm/wUywhAVPPlEfpxKNPAe1SocbDbn5vZfzWb:gmXlQT7OrF/wUywh42fAPAMcbfdZf
Size:	169984
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Changes the view of files in windows explorer (hidden files and folders)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Machine Learning detection for dropped file	AV Detection
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Uses Microsoft Silverlight	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\eFvQTTtxej.exe

"C:\Users\user\Desktop\eFvQTTtxej.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5812
Target ID:	0
Parent PID:	1028
Name:	eFvQTTtxej.exe
Path:	C:\Users\user\Desktop\eFvQTTtxej.exe
Commandline:	"C:\Users\user\Desktop\eFvQTTtxej.exe"
Size:	169984
MD5:	8A168F78A99617BE9F29C3804BB3747F
Time:	15:06:54
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x700000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Client.exe

"C:\Users\user\AppData\Local\Temp\Client.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2616
Target ID:	2
Parent PID:	5812
Name:	Client.exe
Path:	C:\Users\user\AppData\Local\Temp\Client.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\Client.exe"
Size:	169984
MD5:	8A168F78A99617BE9F29C3804BB3747F
Time:	15:07:01
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x520000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://go.microsoft.

unknown

http://go.microsoft.LinkId=42127

unknown

https://www.youtube.com/watch?v=Ji9IwPId5UkPThis

unknown

Details

Name:	https://www.youtube.com/watch?v=Ji9IwPId5UkPThis
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\eFvQTTtxej.exe
Source:	eFvQTTtxej.exe, 00000000.00000002.2081149639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.4466199974.0000000002C01000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking

Domains

Name

Malicious

22.ip.gl.ply.gg

147.185.221.22

Details

Name:	22.ip.gl.ply.gg
IP:	147.185.221.22
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.22

22.ip.gl.ply.gg

United States

Details

IP:	147.185.221.22
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\Client.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	22.ip.gl.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Changes the view of files in windows explorer (hidden files and folders)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Hidden

HKEY_CURRENT_USER\SOFTWARE\Client.exe

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

2D31000

trusted library allocation

page read and write

2C01000

trusted library allocation

page read and write

E6A000

trusted library allocation

page execute and read and write

564E000

stack

page read and write

A4F000

heap

page read and write

E40000

trusted library allocation

page read and write

C10000

heap

page read and write

E52000

trusted library allocation

page execute and read and write

9BE000

stack

page read and write

4E4C000

stack

page read and write

702000

unkown

page readonly

4E80000

heap

page read and write

AF6000

stack

page read and write

E5A000

trusted library allocation

page execute and read and write

AB8000

heap

page read and write

D40000

trusted library allocation

page read and write

F3C000

stack

page read and write

D10000

heap

page read and write

50A0000

heap

page read and write

4DCC000

stack

page read and write

F78000

trusted library allocation

page read and write

950000

heap

page read and write

D82000

trusted library allocation

page execute and read and write

D97000

trusted library allocation

page execute and read and write

F40000

trusted library allocation

page read and write

5A0E000

stack

page read and write

D8A000

trusted library allocation

page execute and read and write

1090000

trusted library allocation

page read and write

10DE000

stack

page read and write

1140000

heap

page read and write

112E000

stack

page read and write

970000

heap

page read and write

72C000

unkown

page readonly

D5A000

trusted library allocation

page execute and read and write

4E60000

trusted library allocation

page read and write

54A0000

heap

page read and write

E62000

trusted library allocation

page execute and read and write

EEF000

heap

page read and write

DB6000

heap

page read and write

53CE000

stack

page read and write

ACC000

heap

page read and write

3C30000

trusted library allocation

page read and write

28BE000

stack

page read and write

EFE000

stack

page read and write

4EA0000

trusted library allocation

page execute and read and write

590E000

stack

page read and write

550F000

stack

page read and write

568E000

stack

page read and write

DF0000

heap

page read and write

5570000

heap

page read and write

4EF0000

trusted library allocation

page read and write

A9E000

heap

page read and write

702000

unkown

page readonly

29EE000

stack

page read and write

D77000

trusted library allocation

page execute and read and write

4E50000

trusted library allocation

page execute and read and write

4CFE000

stack

page read and write

57CC000

stack

page read and write

72E000

unkown

page readonly

8F9000

stack

page read and write

4D20000

trusted library allocation

page execute and read and write

D7A000

trusted library allocation

page execute and read and write

2C5E000

trusted library allocation

page read and write

4F50000

unclassified section

page read and write

E6C000

trusted library allocation

page execute and read and write

975000

heap

page read and write

4E83000

heap

page read and write

A81000

heap

page read and write

528E000

stack

page read and write

D62000

trusted library allocation

page execute and read and write

4D10000

trusted library allocation

page read and write

E8A000

heap

page read and write

DEF000

stack

page read and write

D92000

trusted library allocation

page read and write

5490000

heap

page read and write

4F00000

trusted library allocation

page execute and read and write

CB0000

heap

page read and write

1097000

trusted library allocation

page execute and read and write

5EA000

stack

page read and write

960000

heap

page read and write

1082000

trusted library allocation

page execute and read and write

1010000

heap

page execute and read and write

DB0000

heap

page read and write

4FAE000

stack

page read and write

554E000

stack

page read and write

D9B000

trusted library allocation

page execute and read and write

E80000

heap

page read and write

CDE000

stack

page read and write

F32000

heap

page read and write

E60000

trusted library allocation

page read and write

CA0000

heap

page execute and read and write

CF0000

heap

page read and write

E67000

trusted library allocation

page execute and read and write

EA6000

heap

page read and write

8F6000

stack

page read and write

CE5000

heap

page read and write

700000

unkown

page readonly

3D31000

trusted library allocation

page read and write

5070000

trusted library allocation

page execute and read and write

578E000

stack

page read and write

A18000

heap

page read and write

706000

unkown

page readonly

CE0000

heap

page read and write

F1B000

heap

page read and write

518E000

stack

page read and write

C9D000

stack

page read and write

A10000

heap

page read and write

D52000

trusted library allocation

page execute and read and write

50AF000

stack

page read and write

4EE9000

stack

page read and write

4ECF000

stack

page read and write

71B000

unkown

page readonly

109B000

trusted library allocation

page execute and read and write

7CB000

stack

page read and write

C5E000

stack

page read and write

540E000

stack

page read and write

E20000

heap

page read and write

EBE000

heap

page read and write

E8E000

heap

page read and write

4E90000

trusted library allocation

page execute and read and write

D60000

trusted library allocation

page read and write

1130000

trusted library allocation

page read and write

52CE000

stack

page read and write

3C01000

trusted library allocation

page read and write

F60000

heap

page read and write

7F2F0000

trusted library allocation

page execute and read and write

A1E000

heap

page read and write

107E000

stack

page read and write

58CC000

stack

page read and write

B30000

heap

page read and write

4E0B000

stack

page read and write

There are 121 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
eFvQTTtxej.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReporteFvQTTtxej.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
eFvQTTtxej.exe