Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6996
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1868800
MD5:	F74ED5926C551EA89E49D964E729E736
Time:	02:57:53
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5e0000
Modulesize:	6975488
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://185.215.113.37/

185.215.113.37

Details

Name:	http://185.215.113.37/
IP:	185.215.113.37
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.phpTI

unknown

Details

Name:	http://185.215.113.37/e2b1563c6670f193.phpTI
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37

unknown

Details

Name:	http://185.215.113.37
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.phpXI

unknown

Details

Name:	http://185.215.113.37/e2b1563c6670f193.phpXI
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.php

185.215.113.37

Details

Name:	http://185.215.113.37/e2b1563c6670f193.php
IP:	185.215.113.37
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/ws

unknown

Details

Name:	http://185.215.113.37/ws
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.phpLI

unknown

Details

Name:	http://185.215.113.37/e2b1563c6670f193.phpLI
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.215.113.37

unknown

Portugal

Details

IP:	185.215.113.37
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5E1000

unkown

page execute and read and write

4FE0000

direct allocation

page read and write

113E000

heap

page read and write

1CF0F000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

3D9F000

stack

page read and write

441E000

stack

page read and write

4B61000

heap

page read and write

3F1E000

stack

page read and write

9C2000

unkown

page execute and read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

361F000

stack

page read and write

4B5F000

stack

page read and write

3B1F000

stack

page read and write

4B61000

heap

page read and write

465F000

stack

page read and write

D1C000

stack

page read and write

43DF000

stack

page read and write

1184000

heap

page read and write

39DF000

stack

page read and write

401F000

stack

page read and write

143F000

stack

page read and write

4B61000

heap

page read and write

11C1000

heap

page read and write

4B61000

heap

page read and write

6C2000

unkown

page execute and read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

491E000

stack

page read and write

4B61000

heap

page read and write

1D18E000

stack

page read and write

1D1CE000

stack

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

419D000

stack

page read and write

DC4000

heap

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

2D57000

heap

page read and write

69D000

unkown

page execute and read and write

4B61000

heap

page read and write

1D31D000

stack

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

DE0000

heap

page read and write

147E000

stack

page read and write

DC4000

heap

page read and write

DF0000

direct allocation

page read and write

4B61000

heap

page read and write

D80000

heap

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

1130000

heap

page read and write

5130000

direct allocation

page execute and read and write

325F000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

501E000

stack

page read and write

5120000

direct allocation

page execute and read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

AA4000

unkown

page execute and read and write

375F000

stack

page read and write

2D9E000

stack

page read and write

D70000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

5E0000

unkown

page readonly

329E000

stack

page read and write

DC4000

heap

page read and write

351E000

stack

page read and write

11B2000

heap

page read and write

47DE000

stack

page read and write

1178000

heap

page read and write

DC4000

heap

page read and write

429F000

stack

page read and write

1D04F000

stack

page read and write

10FE000

stack

page read and write

AE2000

unkown

page execute and write copy

469E000

stack

page read and write

311F000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

1D41D000

stack

page read and write

2E9F000

stack

page read and write

1D55C000

stack

page read and write

4A5E000

stack

page read and write

DC0000

heap

page read and write

2FDF000

stack

page read and write

405E000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

11A7000

heap

page read and write

339F000

stack

page read and write

AC7000

unkown

page execute and read and write

455E000

stack

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

11A4000

heap

page read and write

4FA0000

trusted library allocation

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

DC4000

heap

page read and write

1110000

direct allocation

page read and write

5E0000

unkown

page read and write

82A000

unkown

page execute and read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

365E000

stack

page read and write

10F5000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

DF0000

direct allocation

page read and write

DC4000

heap

page read and write

2D30000

direct allocation

page execute and read and write

DC4000

heap

page read and write

315E000

stack

page read and write

1138000

heap

page read and write

691000

unkown

page execute and read and write

48DF000

stack

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

1196000

heap

page read and write

2D30000

heap

page read and write

157F000

stack

page read and write

DC4000

heap

page read and write

301E000

stack

page read and write

DC4000

heap

page read and write

AD3000

unkown

page execute and read and write

5E1000

unkown

page execute and write copy

2D5B000

heap

page read and write

DC4000

heap

page read and write

1D08E000

stack

page read and write

2D40000

direct allocation

page execute and read and write

C83000

unkown

page execute and read and write

DC4000

heap

page read and write

1D2CF000

stack

page read and write

4B60000

heap

page read and write

4B70000

heap

page read and write

4A1F000

stack

page read and write

42DE000

stack

page read and write

4B61000

heap

page read and write

3DDE000

stack

page read and write

1CF4E000

stack

page read and write

2EDC000

stack

page read and write

511F000

stack

page read and write

3C9E000

stack

page read and write

4B61000

heap

page read and write

389F000

stack

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

DC4000

heap

page read and write

1110000

direct allocation

page read and write

DC4000

heap

page read and write

3C5F000

stack

page read and write

DC4000

heap

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

DF0000

direct allocation

page read and write

451F000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

AE1000

unkown

page execute and write copy

4B61000

heap

page read and write

1120000

direct allocation

page execute and read and write

DF0000

direct allocation

page read and write

3A1E000

stack

page read and write

DC4000

heap

page read and write

83E000

unkown

page execute and read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

2D50000

heap

page read and write

133E000

stack

page read and write

DF0000

direct allocation

page read and write

3EDF000

stack

page read and write

2D20000

direct allocation

page execute and read and write

DC4000

heap

page read and write

C84000

unkown

page execute and write copy

33DE000

stack

page read and write

117E000

heap

page read and write

DF0000

direct allocation

page read and write

4B61000

heap

page read and write

1D45D000

stack

page read and write

1CE0E000

stack

page read and write

479F000

stack

page read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

415F000

stack

page read and write

3B5E000

stack

page read and write

2D40000

direct allocation

page execute and read and write

DF0000

direct allocation

page read and write

AE1000

unkown

page execute and read and write

DC4000

heap

page read and write

4B61000

heap

page read and write

38DE000

stack

page read and write

DF0000

direct allocation

page read and write

DC4000

heap

page read and write

34DF000

stack

page read and write

4B61000

heap

page read and write

DC4000

heap

page read and write

379E000

stack

page read and write

4B61000

heap

page read and write

4B61000

heap

page read and write

DF0000

direct allocation

page read and write

There are 220 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

IPs

Memdumps

IOC Report
file.exe