Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2qsdqACnX3.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.198880234677548
Filename:	2qsdqACnX3.exe
Filesize:	83968
MD5:	73339cacdb37937c47ea7668ac3a1017
SHA1:	b32d273a752ad25173e26a110ae05acbabf3f15d
SHA256:	d0abb0bd329f13afadfb0bbf6730f2233488b8c6c6f5e593d61d91b20fe8b772
SHA512:	6629b294d431b49f7d3272dc0bcaa85eaa2a82f0f3eceea27ff071ff4b7048af2b0a70bed658ad22e53b6d70d239399f477d5a2122d84bb6e28435678eefd41d
SSDEEP:	1536:YSSH/BiqTiTQROZFdQ6sPr2F7oW6fQrNZL3cncOaEzSkzmeL:ZS5MvXdfsPr2F7pyQhDOaEzKeL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............2.....N....................@..........................`.............................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code	Hooking and other Techniques for Hiding and Protection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information	Credentials in Registry
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Process Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Yara signature match	System Summary
Contains functionality to access the windows certificate store	System Summary	Install Root Certificate
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
Executes batch files	System Summary	Scripting Install Root Certificate
Found strings which match to known social media urls	Networking	Install Root Certificate
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Checks if Microsoft Office is installed	System Summary

C:\Users\user\AppData\Local\Temp\5990015.bat

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\5990015.bat
Category:	dropped
Dump:	5990015.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\2qsdqACnX3.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	3.233204299824007
Encrypted:	false
Ssdeep:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
Size:	94
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\2qsdqACnX3.exe

"C:\Users\user\Desktop\2qsdqACnX3.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6632
Target ID:	0
Parent PID:	1028
Name:	2qsdqACnX3.exe
Path:	C:\Users\user\Desktop\2qsdqACnX3.exe
Commandline:	"C:\Users\user\Desktop\2qsdqACnX3.exe"
Size:	83968
MD5:	73339CACDB37937C47EA7668AC3A1017
Time:	03:26:55
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Executes batch files	System Summary	Scripting
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "

Details

Is windows:	true
Is dropped:	false
PID:	940
Target ID:	2
Parent PID:	6632
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5990015.bat" "C:\Users\user\Desktop\2qsdqACnX3.exe" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	03:26:57
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5572
Target ID:	3
Parent PID:	940
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:26:57
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://gunnylaumienphi2017.com/

http://https://ftp://operawand.dat_Software

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

ftp://http://https://ftp.fireFTPsites.datSeaMonkey

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://gunnylaumienphi2017.com/YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0

unknown

There are 3 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\WinRAR

HWID

Memdumps

Base Address

Regiontype

Protect

Malicious

411000

unkown

page read and write

411000

unkown

page write copy

4F0000

heap

page read and write

74E000

heap

page read and write

25C0000

trusted library allocation

page read and write

74F000

heap

page read and write

401000

unkown

page execute read

753000

heap

page read and write

74E000

heap

page read and write

754000

heap

page read and write

74C000

heap

page read and write

753000

heap

page read and write

2F4C000

stack

page read and write

2B3F000

stack

page read and write

28FE000

stack

page read and write

505000

heap

page read and write

54E000

stack

page read and write

AE7000

heap

page read and write

9B000

stack

page read and write

1F0000

heap

page read and write

8EF000

stack

page read and write

19B000

stack

page read and write

74E000

heap

page read and write

74E000

heap

page read and write

6F0000

heap

page read and write

6B0000

heap

page read and write

711000

heap

page read and write

2DBF000

stack

page read and write

2B7E000

stack

page read and write

2A3E000

stack

page read and write

2CBE000

stack

page read and write

25C0000

trusted library allocation

page read and write

400000

unkown

page readonly

26BD000

stack

page read and write

2270000

heap

page read and write

27BF000

stack

page read and write

304C000

stack

page read and write

401000

unkown

page execute read

400000

unkown

page readonly

6FA000

heap

page read and write

29FF000

stack

page read and write

500000

heap

page read and write

21BC000

stack

page read and write

AE0000

heap

page read and write

760000

heap

page read and write

68E000

stack

page read and write

64E000

stack

page read and write

2C7F000

stack

page read and write

28BF000

stack

page read and write

6FE000

heap

page read and write

223E000

stack

page read and write

3050000

heap

page read and write

766000

heap

page read and write

759000

heap

page read and write

21FE000

stack

page read and write

There are 45 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2qsdqACnX3.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2qsdqACnX3.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
2qsdqACnX3.exe