Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

yVhGfho0R4.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.778141698418682
Filename:	yVhGfho0R4.exe
Filesize:	987136
MD5:	6138a05e066e20c8e39c760bec68e113
SHA1:	04644b6a5ea07a58824ff156b240ca9481806469
SHA256:	b4463bc49e5f7fdfe610f17163ad8b399dda74e6843c4ea7fccf379c95e06e4f
SHA512:	811381b33c3be3ee817a127c42e3c886802331d7453230658244872c97cddc36aa4c0b7d05e30c9280bfe1f800fedb481575cd0ab502386953af4505a5dd7aaf
SSDEEP:	24576:LI++Z/jfG+Nv4GhFASI4tKX2Fjpm87bb:LI++ZLfG+SGhF/tImT
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V..f..............0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVhGfho0R4.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVhGfho0R4.exe.log
Category:	dropped
Dump:	yVhGfho0R4.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\yVhGfho0R4.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json
Category:	dropped
Dump:	json[1].json.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	JSON data
Entropy:	5.012309356796613
Encrypted:	false
Ssdeep:	12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
Size:	962
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\bhv28F9.tmp

Extensible storage engine DataBase, version 0x620, checksum 0xc7dcb1fc, page size 32768, DirtyShutdown, Windows version 10.0

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\bhv28F9.tmp
Category:	dropped
Dump:	bhv28F9.tmp.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc7dcb1fc, page size 32768, DirtyShutdown, Windows version 10.0
Entropy:	1.283022653220528
Encrypted:	false
Ssdeep:	12288:JRSPOhijljKhBfvKDv2Q+555ckQB8WBbXnE:2ii9PD7+
Size:	20447232
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\ghpxetgawuzqhlhqyiosoy

Unicode text, UTF-16, little-endian text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ghpxetgawuzqhlhqyiosoy
Category:	dropped
Dump:	ghpxetgawuzqhlhqyiosoy.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Entropy:	1.0
Encrypted:	false
Ssdeep:	3:Qn:Qn
Size:	2
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\yVhGfho0R4.exe

"C:\Users\user\Desktop\yVhGfho0R4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1136
Target ID:	0
Parent PID:	2580
Name:	yVhGfho0R4.exe
Path:	C:\Users\user\Desktop\yVhGfho0R4.exe
Commandline:	"C:\Users\user\Desktop\yVhGfho0R4.exe"
Size:	987136
MD5:	6138A05E066E20C8E39C760BEC68E113
Time:	20:41:54
Date:	29/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb50000
Modulesize:	1007616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5460
Target ID:	2
Parent PID:	1136
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:55
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x570000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\ghpxetgawuzqhlhqyiosoy"

Details

Is windows:	true
Is dropped:	false
PID:	5164
Target ID:	3
Parent PID:	5460
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\ghpxetgawuzqhlhqyiosoy"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:59
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"

Details

Is windows:	true
Is dropped:	false
PID:	1076
Target ID:	4
Parent PID:	5460
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:59
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x120000
Modulesize:	262144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"

Details

Is windows:	true
Is dropped:	false
PID:	6112
Target ID:	5
Parent PID:	5460
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:59
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	262144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"

Details

Is windows:	true
Is dropped:	false
PID:	1900
Target ID:	6
Parent PID:	5460
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\qccpxmqukcrvrrvupsbtqlykp"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:59
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\aeiaxebwykjatxryydovbqttyepx"

Details

Is windows:	true
Is dropped:	false
PID:	4296
Target ID:	7
Parent PID:	5460
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\user\AppData\Local\Temp\aeiaxebwykjatxryydovbqttyepx"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	20:41:59
Date:	29/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc10000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

103.186.116.220

http://geoplugin.net/json.gp

178.237.33.50

http://www.fontbureau.com/designersG

unknown

http://www.imvu.comr

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W

unknown

https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad

unknown

http://www.fontbureau.com/designers?

unknown

https://aefd.nelreports.net/api/report?cat=bingth

unknown

https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.nirsoft.net

unknown

https://aefd.nelreports.net/api/report?cat=bingaotak

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr

unknown

http://www.goodfont.co.kr

unknown

https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742

unknown

https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr

unknown

http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com

unknown

https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

https://www.google.com

unknown

http://www.founder.com.cn/cn/cThe

unknown

https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://geoplugin.net/json.gp/C

unknown

http://geoplugin.net/json.gplgqL3)

unknown

https://maps.windows.com/windows-app-web-link

unknown

https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat

unknown

http://www.galapagosdesign.com/DPlease

unknown

https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8

unknown

https://login.yahoo.com/config/login

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.nirsoft.net/

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d

unknown

https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d

unknown

https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg

unknown

https://www.office.com/

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8

unknown

https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68

unknown

https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2

unknown

https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d

unknown

https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437

unknown

http://www.imvu.com

unknown

https://aefd.nelreports.net/api/report?cat=wsb

unknown

https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326

unknown

http://geoplugin.net/json.gpSystem32

unknown

http://www.carterandcone.coml

unknown

https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

https://aefd.nelreports.net/api/report?cat=bingaot

unknown

https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae

unknown

https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.fontbureau.com/designers8

unknown

https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD

unknown

https://aefd.nelreports.net/api/report?cat=bingrms

unknown

https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993

unknown

https://www.google.com/accounts/servicelogin

unknown

https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5

unknown

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3

unknown

https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135

unknown

https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59

unknown

http://www.ebuddy.com

unknown

There are 65 hidden URLs, click here to show them.

Domains

Name

Malicious

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.214.172

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

103.186.116.220

unknown

Details

IP:	103.186.116.220
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
ASN number:	7575
ASN name:	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

178.237.33.50

geoplugin.net

Netherlands

Details

IP:	178.237.33.50
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	8455
ASN name:	ATOM86-ASATOM86NL
Private:	false
Domain:	geoplugin.net

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-9XV80Z

exepath

Details

TargetID:	2
Path:	HKEY_CURRENT_USER\SOFTWARE\Rmc-9XV80Z
Value name:	exepath
Value data:	0D 41 61 46 3D CC 79 C3 F3 C4 AD EC EF AA FD 8B BE 09 2A B6 AA 42 5A B9 A0 43 ED B1 0F 17 9A 98 5A F4 01 D0 98 38 0A B4 B3 57 6E 12 EE C3 93 6C 19 4E 11 AD 68 49 77 90 3A 57 69 9C 4E 9A F2 2F DB FC 56 F1 0C E2 1D AC 99 88 9A 16 78 59 1D 14 85 74 4E D5 0C 82 A8 A6 73 23 4C A9 34 33 1E 66 1A 77 26 C7 8C A1 45 B2 9B D4 BE 22 F7 D9 CB 55 22 E1 ED E0

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information

HKEY_CURRENT_USER\SOFTWARE\Rmc-9XV80Z

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-9XV80Z

time

Memdumps

Base Address

Regiontype

Protect

Malicious

B37000

heap

page read and write

3F69000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

4A6A000

trusted library allocation

page read and write

AC5000

heap

page read and write

1270000

heap

page read and write

57F0000

trusted library allocation

page read and write

45D000

system

page execute and read and write

2FCC000

trusted library allocation

page read and write

13AB000

heap

page read and write

478000

remote allocation

page execute and read and write

B8F000

heap

page read and write

2EFF000

stack

page read and write

3580000

heap

page read and write

75FE000

stack

page read and write

5600000

heap

page read and write

ABF000

stack

page read and write

53C0000

trusted library allocation

page read and write

11FE000

stack

page read and write

358A000

heap

page read and write

400000

system

page execute and read and write

AD0000

heap

page read and write

7090000

trusted library allocation

page read and write

1180000

heap

page read and write

45C000

system

page execute and read and write

5590000

trusted library allocation

page read and write

459000

system

page execute and read and write

12F1000

heap

page read and write

3588000

heap

page read and write

5800000

heap

page read and write

456000

system

page execute and read and write

13E0000

heap

page read and write

2790000

heap

page read and write

400000

system

page execute and read and write

760F000

trusted library allocation

page read and write

5805000

heap

page read and write

1500000

trusted library allocation

page read and write

B6C000

heap

page read and write

12DC000

stack

page read and write

BA6000

heap

page read and write

1516000

trusted library allocation

page execute and read and write

1527000

trusted library allocation

page execute and read and write

3480000

heap

page read and write

70B2000

trusted library allocation

page read and write

2FB0000

heap

page read and write

289F000

stack

page read and write

BB1000

heap

page read and write

13F8000

heap

page read and write

B95000

heap

page read and write

13EE000

stack

page read and write

93C000

stack

page read and write

2F1D000

heap

page read and write

5620000

trusted library allocation

page execute and read and write

53EE000

trusted library allocation

page read and write

5400000

trusted library allocation

page read and write

1510000

trusted library allocation

page read and write

12F3000

heap

page read and write

1320000

heap

page read and write

5430000

trusted library allocation

page read and write

299E000

heap

page read and write

1185000

heap

page read and write

10016000

direct allocation

page execute and read and write

294B000

heap

page read and write

7A5D000

stack

page read and write

338F000

stack

page read and write

DD7000

stack

page read and write

55F0000

trusted library section

page readonly

A97E000

stack

page read and write

8040000

trusted library section

page read and write

1458000

heap

page read and write

1540000

trusted library allocation

page read and write

FB0000

heap

page read and write

3000000

heap

page read and write

53D4000

trusted library allocation

page read and write

B52000

unkown

page readonly

53FD000

trusted library allocation

page read and write

5445000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

BB8000

heap

page read and write

1530000

heap

page read and write

1248000

heap

page read and write

5440000

trusted library allocation

page read and write

10000000

direct allocation

page read and write

5598000

trusted library allocation

page read and write

F4C000

stack

page read and write

12B0000

heap

page read and write

150D000

trusted library allocation

page execute and read and write

328E000

stack

page read and write

14F4000

trusted library allocation

page read and write

3F61000

trusted library allocation

page read and write

B50000

unkown

page readonly

12EF000

stack

page read and write

DD9000

stack

page read and write

5FD7000

heap

page read and write

12F3000

stack

page read and write

1730000

heap

page execute and read and write

1240000

heap

page read and write

1550000

heap

page read and write

1110000

heap

page read and write

5420000

heap

page read and write

7620000

trusted library allocation

page execute and read and write

172E000

stack

page read and write

28A0000

heap

page read and write

5FB1000

heap

page read and write

3540000

heap

page read and write

5630000

heap

page execute and read and write

2F2D000

heap

page read and write

7605000

trusted library allocation

page read and write

3060000

heap

page read and write

14EE000

stack

page read and write

3160000

heap

page read and write

83C000

stack

page read and write

5610000

heap

page read and write

13E0000

heap

page read and write

5402000

trusted library allocation

page read and write

53DB000

trusted library allocation

page read and write

116E000

stack

page read and write

57E0000

trusted library allocation

page read and write

81FE000

stack

page read and write

2918000

heap

page read and write

17AE000

heap

page read and write

5470000

trusted library allocation

page read and write

14F0000

trusted library allocation

page read and write

13D0000

heap

page read and write

9A0000

heap

page read and write

802E000

stack

page read and write

1260000

heap

page read and write

12BE000

heap

page read and write

53D0000

trusted library allocation

page read and write

7490000

heap

page read and write

7C6E000

stack

page read and write

474000

remote allocation

page execute and read and write

7600000

trusted library allocation

page read and write

7F2E000

stack

page read and write

CDC000

stack

page read and write

2F5E000

stack

page read and write

2D78000

trusted library allocation

page read and write

1040000

heap

page read and write

15EF000

stack

page read and write

143F000

stack

page read and write

2FCA000

trusted library allocation

page read and write

AC0000

heap

page read and write

12D7000

stack

page read and write

EFC000

stack

page read and write

7FD50000

trusted library allocation

page execute and read and write

1503000

trusted library allocation

page read and write

2F61000

trusted library allocation

page read and write

C42000

unkown

page readonly

7E6E000

stack

page read and write

14FD000

trusted library allocation

page execute and read and write

14F3000

trusted library allocation

page execute and read and write

139E000

stack

page read and write

1740000

trusted library allocation

page execute and read and write

152B000

trusted library allocation

page execute and read and write

400000

system

page execute and read and write

FFE000

stack

page read and write

5740000

heap

page read and write

8030000

trusted library section

page read and write

1030000

heap

page read and write

505C000

stack

page read and write

128E000

stack

page read and write

C40000

heap

page read and write

142E000

stack

page read and write

41B000

system

page execute and read and write

13F0000

heap

page read and write

2F23000

heap

page read and write

1450000

heap

page read and write

1280000

heap

page read and write

53F1000

trusted library allocation

page read and write

164F000

stack

page read and write

115E000

stack

page read and write

1570000

heap

page read and write

1750000

heap

page read and write

2F31000

heap

page read and write

59CE000

stack

page read and write

1522000

trusted library allocation

page read and write

2FB8000

trusted library allocation

page read and write

B30000

heap

page read and write

1170000

heap

page read and write

12A0000

trusted library allocation

page read and write

590D000

stack

page read and write

53A0000

heap

page read and write

3800000

heap

page read and write

17A0000

heap

page read and write

5FB9000

heap

page read and write

2E50000

heap

page read and write

7D6E000

stack

page read and write

5423000

heap

page read and write

54B0000

heap

page read and write

3584000

heap

page read and write

54C0000

trusted library allocation

page execute and read and write

13D5000

heap

page read and write

59D0000

trusted library allocation

page read and write

CDA000

stack

page read and write

270F000

stack

page read and write

5410000

trusted library allocation

page read and write

2F00000

heap

page read and write

12B8000

heap

page read and write

594E000

stack

page read and write

140E000

heap

page read and write

55EB000

stack

page read and write

1512000

trusted library allocation

page read and write

C30000

heap

page read and write

5F90000

heap

page read and write

598E000

stack

page read and write

1050000

heap

page read and write

151A000

trusted library allocation

page execute and read and write

260E000

stack

page read and write

2710000

heap

page read and write

E2F000

stack

page read and write

12D9000

heap

page read and write

FFB000

stack

page read and write

473000

system

page execute and read and write

2DFE000

stack

page read and write

1520000

trusted library allocation

page read and write

2E4B000

stack

page read and write

7630000

trusted library allocation

page read and write

335F000

stack

page read and write

276E000

stack

page read and write

1757000

heap

page read and write

5FA0000

heap

page read and write

54D0000

trusted library allocation

page read and write

53F6000

trusted library allocation

page read and write

10001000

direct allocation

page execute and read and write

There are 214 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
yVhGfho0R4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportyVhGfho0R4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
yVhGfho0R4.exe