Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.FileRepMalware.23518.16980.exe

PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy:	6.9090934306154255
Filename:	SecuriteInfo.com.FileRepMalware.23518.16980.exe
Filesize:	2407936
MD5:	ea94a1fe3c2921313e7ea2b77675c7db
SHA1:	dd0388d8bdfd510256f26a8e9efe025fd9381867
SHA256:	ecbbb2801bb4d27db737c96ac45b2a51b449ddd9e2e2af42c1e85b79caa5a5ab
SHA512:	75faeea680fea9fa1ba1980aceb9f7c85208664d568d3d4a45079eb64fa542228a8f204cd48075af86b6ff25f599e6b186c5965ebb6bc7c19e5e45151b062c81
SSDEEP:	49152:9cUopVYb8CZgJEy4YqQD1qywbLTqFPO6KqMvdv2hSfrfX:jByQywfTYm6K7Aq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x"......."......N....................@...............................*...........`... ............................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Potentially malicious time measurement code found	Anti Debugging
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executable is probably coded in Go lang	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\ConDrv

ASCII text

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Type:	ASCII text
Entropy:	4.942310874298255
Encrypted:	false
Ssdeep:	24:BF2sFq0vCRja73EWyv8rR6XafbaZzB2cjvG9wsZ0HaLQ8u/rFgFrl:Zc63PB6XR98n9ws6d8er+L
Size:	1213
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7872
Target ID:	0
Parent PID:	3968
Name:	SecuriteInfo.com.FileRepMalware.23518.16980.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe"
Size:	2407936
MD5:	EA94A1FE3C2921313E7EA2B77675C7DB
Time:	16:26:01
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x680000
Modulesize:	2813952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7880
Target ID:	1
Parent PID:	7872
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:26:01
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff620390000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://106.14.141.209/hkDF

Details

Name:	http://106.14.141.209/hkDF
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://106.14.141.209:8087/hkDF

106.14.141.209

Details

Name:	http://106.14.141.209:8087/hkDF
IP:	106.14.141.209
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://106.14.141.209:8087/hkDF&

unknown

http://106.14.141.209:8087/hkDFly

unknown

http://106.14.141.209:8087/hkDFN

unknown

Domains

Name

Malicious

18.31.95.13.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

106.14.141.209

unknown

China

Details

IP:	106.14.141.209
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Country:	China
Countrycode:	CHN
ASN number:	37963
ASN name:	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

29C510F0000

direct allocation

page execute and read and write

C000110000

direct allocation

page read and write

F9A47FA000

stack

page read and write

C000033000

direct allocation

page read and write

681000

unkown

page execute read

F9A49FE000

stack

page read and write

907000

unkown

page readonly

C00010E000

direct allocation

page read and write

C000038000

direct allocation

page read and write

C00001E000

direct allocation

page read and write

872000

unkown

page readonly

29C2A49C000

heap

page read and write

C00007A000

direct allocation

page read and write

29C2A4F0000

heap

page read and write

F9A4BFE000

stack

page read and write

907000

unkown

page readonly

29C2A430000

direct allocation

page read and write

29C4F8C0000

direct allocation

page read and write

76C000

unkown

page readonly

F9A5BFE000

stack

page read and write

F9A51FE000

stack

page read and write

29C2A770000

heap

page read and write

906000

unkown

page write copy

29C2A775000

heap

page read and write

C000018000

direct allocation

page read and write

29C2A3F0000

heap

page read and write

726000

unkown

page readonly

C000041000

direct allocation

page read and write

7EC000

unkown

page read and write

C000002000

direct allocation

page read and write

C000012000

direct allocation

page read and write

C00000A000

direct allocation

page read and write

C000052000

direct allocation

page read and write

7D6000

unkown

page read and write

680000

unkown

page readonly

C000122000

direct allocation

page read and write

7DA000

unkown

page write copy

C000031000

direct allocation

page read and write

81D000

unkown

page read and write

76F000

unkown

page readonly

7D6000

unkown

page write copy

29C2A508000

heap

page read and write

29C2A760000

direct allocation

page read and write

F9A59F8000

stack

page read and write

29C2A3E0000

heap

page read and write

680000

unkown

page readonly

29C2A439000

direct allocation

page read and write

C000021000

direct allocation

page read and write

C000076000

direct allocation

page read and write

F9A4DFE000

stack

page read and write

681000

unkown

page execute read

C00001C000

direct allocation

page read and write

C000060000

direct allocation

page read and write

F9A53FE000

stack

page read and write

C000102000

direct allocation

page read and write

F9A5FFE000

stack

page read and write

C00002C000

direct allocation

page read and write

76C000

unkown

page readonly

C000008000

direct allocation

page read and write

7DC000

unkown

page read and write

29C2A499000

heap

page read and write

F9A55FF000

stack

page read and write

C00005C000

direct allocation

page read and write

847000

unkown

page read and write

7DD000

unkown

page write copy

29C4F7A0000

direct allocation

page read and write

29C2A434000

direct allocation

page read and write

C000128000

direct allocation

page read and write

C000114000

direct allocation

page read and write

84A000

unkown

page readonly

C000072000

direct allocation

page read and write

F9A5DFE000

stack

page read and write

C000014000

direct allocation

page read and write

C00000C000

direct allocation

page read and write

C000124000

direct allocation

page read and write

29C2A514000

heap

page read and write

C000010000

direct allocation

page read and write

844000

unkown

page read and write

29C2A4F9000

heap

page read and write

F9A57FD000

stack

page read and write

84A000

unkown

page readonly

906000

unkown

page write copy

F9A4FFF000

stack

page read and write

C00000E000

direct allocation

page read and write

C000064000

direct allocation

page read and write

76F000

unkown

page readonly

29C2A43D000

direct allocation

page read and write

29C4F788000

direct allocation

page read and write

C000036000

direct allocation

page read and write

C000004000

direct allocation

page read and write

726000

unkown

page readonly

872000

unkown

page readonly

C000016000

direct allocation

page read and write

C000054000

direct allocation

page read and write

29C2A506000

heap

page read and write

C000000000

direct allocation

page read and write

29C4F780000

direct allocation

page read and write

29C2A490000

heap

page read and write

C00004E000

direct allocation

page read and write

C00007E000

direct allocation

page read and write

29C2A410000

heap

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.FileRepMalware.23518.16980.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.FileRepMalware.23518.16980.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.FileRepMalware.23518.16980.exe