Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.7922501078429534
Filename:	file.exe
Filesize:	9994752
MD5:	0603207308448ad82dc3d1fc17923ddb
SHA1:	9c4f8f3e35d6404e22b50b7f1a0641a1b4195d94
SHA256:	0fb82d8a8edd32ba4f80b129b228c9e74871f55f970b44c75af5aa4572b1b582
SHA512:	50595287ba90421dbb6fc612b69d2a2bffdad54ff79b04c50a05ea414af4e7deeb7101fb1b0638257cb28d3627ef8258e7cb039178b6d504d922774e91f95ba5
SSDEEP:	49152:bDyQaXzVDlZO+jPtICKFgYvB+um+uWXHAEUk9Nd1aKXTjTgwpZp5m2GyP/UscElJ:iQQZDlBPtTY
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............(.N,..~...............`,...@.................................DG....@... ......................p..B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.002340594165386923
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\LYgbAXPoWKdcsgBzdWtH.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\LYgbAXPoWKdcsgBzdWtH.dll
Category:	dropped
Dump:	LYgbAXPoWKdcsgBzdWtH.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05436916105421156
Encrypted:	false
Ssdeep:	24576:DjMXwB2/vtTwIj/SMdLcgUhTwpzbUkWrn3NDfcHVSyn8W8xlfVE:SEw13WrnpfaVYxlfVE
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7680
Target ID:	0
Parent PID:	3968
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	9994752
MD5:	0603207308448AD82DC3D1FC17923DDB
Time:	19:02:27
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7f0000
Modulesize:	10027008
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7180
Target ID:	5
Parent PID:	7680
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	4D55689820C303548CBA9CFA9F2BF3CB
Time:	19:03:27
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	7264
Target ID:	6
Parent PID:	7680
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	19:03:28
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x430000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	4620
Target ID:	8
Parent PID:	1040
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	4D55689820C303548CBA9CFA9F2BF3CB
Time:	19:03:30
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x790000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	5836
Target ID:	9
Parent PID:	1040
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	4D55689820C303548CBA9CFA9F2BF3CB
Time:	19:04:02
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x790000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7276
Target ID:	7
Parent PID:	7264
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:03:28
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff620390000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

analforeverlovyu.top

https://serviceupdate32.com/update

unknown

sevtvh17pt.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://sevtvh17pt.top/v1/upload.php

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

sevtvh17pt.top

37.9.4.189

Details

Name:	sevtvh17pt.top
IP:	37.9.4.189
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

198.187.3.20.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

37.9.4.189

sevtvh17pt.top

Russian Federation

Details

IP:	37.9.4.189
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49505
ASN name:	SELECTELRU
Private:	false
Domain:	sevtvh17pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

434C000

heap

page read and write

398A000

heap

page read and write

46CC000

stack

page read and write

791000

unkown

page execute read

398E000

heap

page read and write

6C9D0000

unkown

page readonly

1670000

heap

page read and write

1735000

heap

page read and write

DA76000

heap

page read and write

3983000

heap

page read and write

791000

unkown

page execute read

3030000

heap

page read and write

16BE000

stack

page read and write

395F000

heap

page read and write

39A3000

heap

page read and write

9DE000

stack

page read and write

2F0E000

unkown

page read and write

2BF0000

heap

page read and write

790000

unkown

page readonly

6CAAF000

unkown

page readonly

79E000

unkown

page read and write

1690000

heap

page read and write

BF7000

unkown

page read and write

38E1000

heap

page read and write

E06000

unkown

page read and write

2F8E000

stack

page read and write

394B000

heap

page read and write

3989000

heap

page read and write

16DE000

heap

page read and write

171B000

heap

page read and write

6CAAD000

unkown

page read and write

16D0000

heap

page read and write

BB7000

unkown

page read and write

79A000

unkown

page readonly

7F0000

unkown

page readonly

D9AB000

heap

page read and write

DBC000

unkown

page read and write

FD0000

heap

page read and write

395F000

heap

page read and write

174D000

heap

page read and write

39E0000

heap

page read and write

4320000

remote allocation

page read and write

3950000

heap

page read and write

1825000

heap

page read and write

1704000

heap

page read and write

79A000

unkown

page readonly

3C3D000

stack

page read and write

2FCF000

stack

page read and write

1704000

heap

page read and write

E03000

unkown

page read and write

1820000

heap

page read and write

E0B000

unkown

page read and write

448E000

stack

page read and write

6CAF9000

unkown

page read and write

39AD000

heap

page read and write

3850000

heap

page read and write

48CC000

stack

page read and write

950000

heap

page read and write

3996000

heap

page read and write

7A1000

unkown

page readonly

174D000

heap

page read and write

197F000

stack

page read and write

DB97000

heap

page read and write

2F4F000

unkown

page read and write

DFC000

unkown

page read and write

3C7D000

stack

page read and write

DB90000

heap

page read and write

38E1000

heap

page read and write

1540000

heap

page read and write

ECC000

stack

page read and write

79E000

unkown

page write copy

2B7A000

stack

page read and write

172F000

heap

page read and write

394B000

heap

page read and write

40BF000

stack

page read and write

399A000

heap

page read and write

143B000

stack

page read and write

1490000

heap

page read and write

42FF000

stack

page read and write

3989000

heap

page read and write

3983000

heap

page read and write

9E0000

heap

page read and write

E18000

unkown

page read and write

AB6000

unkown

page read and write

790000

unkown

page readonly

E1E000

unkown

page read and write

7A1000

unkown

page readonly

40FE000

stack

page read and write

2BE0000

heap

page read and write

113B000

unkown

page readonly

1735000

heap

page read and write

1750000

heap

page read and write

790000

unkown

page readonly

142A000

heap

page read and write

7F1000

unkown

page execute read

13FD000

stack

page read and write

FB0000

heap

page read and write

6CAFC000

unkown

page readonly

13FC000

stack

page read and write

38E1000

heap

page read and write

16FE000

heap

page read and write

F20000

heap

page read and write

1440000

heap

page read and write

133F000

stack

page read and write

39A5000

heap

page read and write

DC86000

heap

page read and write

D98E000

stack

page read and write

1AFE000

stack

page read and write

7A1000

unkown

page readonly

6C9D1000

unkown

page execute read

153F000

stack

page read and write

113B000

unkown

page readonly

179C000

heap

page read and write

1128000

unkown

page readonly

10BD000

unkown

page read and write

1755000

heap

page read and write

E294000

heap

page read and write

16DA000

heap

page read and write

790000

unkown

page readonly

1048000

heap

page read and write

1719000

heap

page read and write

1680000

heap

page read and write

7F1000

unkown

page execute read

1687000

heap

page read and write

DFC000

stack

page read and write

398E000

heap

page read and write

79A000

unkown

page readonly

7F0000

unkown

page readonly

1631000

stack

page read and write

7A1000

unkown

page readonly

DB80000

heap

page read and write

16C0000

heap

page read and write

1731000

heap

page read and write

16C7000

heap

page read and write

791000

unkown

page execute read

1719000

heap

page read and write

180E000

stack

page read and write

386A000

heap

page read and write

E0D000

unkown

page read and write

3E7E000

stack

page read and write

1138000

unkown

page write copy

38E1000

heap

page read and write

1758000

heap

page read and write

E7C000

unkown

page read and write

79E000

unkown

page read and write

1745000

heap

page read and write

7A1000

unkown

page readonly

18C0000

heap

page read and write

468F000

stack

page read and write

3990000

heap

page read and write

161B000

stack

page read and write

3995000

heap

page read and write

3988000

heap

page read and write

79E000

unkown

page write copy

3860000

heap

page read and write

3988000

heap

page read and write

4320000

remote allocation

page read and write

173F000

heap

page read and write

1420000

heap

page read and write

1138000

unkown

page read and write

1740000

heap

page read and write

DFF000

unkown

page read and write

99E000

stack

page read and write

790000

unkown

page readonly

8FC000

stack

page read and write

397E000

heap

page read and write

398A000

heap

page read and write

79A000

unkown

page readonly

38FE000

heap

page read and write

16C4000

heap

page read and write

38E0000

heap

page read and write

1040000

heap

page read and write

790000

unkown

page readonly

3983000

heap

page read and write

AB6000

unkown

page write copy

1128000

unkown

page readonly

1CFE000

stack

page read and write

FC0000

heap

page read and write

F5C000

stack

page read and write

D793000

heap

page read and write

399A000

heap

page read and write

3EBE000

stack

page read and write

79A000

unkown

page readonly

79A000

unkown

page readonly

2B3D000

stack

page read and write

143E000

stack

page read and write

3170000

heap

page read and write

6CAF8000

unkown

page readonly

79E000

unkown

page read and write

3983000

heap

page read and write

317B000

heap

page read and write

4320000

remote allocation

page read and write

F00000

heap

page read and write

397F000

heap

page read and write

79E000

unkown

page write copy

16C5000

heap

page read and write

38F9000

heap

page read and write

3963000

heap

page read and write

3A3E000

stack

page read and write

791000

unkown

page execute read

16FB000

heap

page read and write

38E9000

heap

page read and write

142E000

heap

page read and write

384E000

stack

page read and write

791000

unkown

page execute read

390B000

heap

page read and write

399F000

heap

page read and write

2FE0000

heap

page read and write

16C5000

heap

page read and write

791000

unkown

page execute read

7A1000

unkown

page readonly

1660000

heap

page read and write

DBCF000

heap

page read and write

39A8000

heap

page read and write

There are 204 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe