Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

kas.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.30506624798976
Filename:	kas.exe
Filesize:	1218405
MD5:	911e5ea2603b4a7dc17bf847dda0f6f9
SHA1:	f2bc99c64bf0aeadc02170f62f32245623e8b862
SHA256:	d81f1cfc732280d0f92df78433544b467d837f60cbfcfdbff21c5f987eaea942
SHA512:	37e8d01f0989395aa56e83b5d00a2097761c87522b52baf596c81d56f4f95a7e0a34a6932b161d6a5853a2e094555363d4c3475d145e94558396f954fe620a40
SSDEEP:	24576:WfmMv6Ckr7Mny5Qb/OM930NCdy500u0cfbdG:W3v+7/5Qb/OEXdp0YG
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	System Information Discovery
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture Security Software Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Process Discovery Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Security Software Discovery Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\brawlys

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\brawlys
Category:	dropped
Dump:	brawlys.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\kas.exe
Type:	data
Entropy:	6.750321066436658
Encrypted:	false
Ssdeep:	6144:MzpK/Iwjp36hGm6zyiXJIFb/8ZBuYC85Se:6KQQ7wiX+EZ8K5Se
Size:	240128
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\kas.exe

"C:\Users\user\Desktop\kas.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4564
Target ID:	0
Parent PID:	1028
Name:	kas.exe
Path:	C:\Users\user\Desktop\kas.exe
Commandline:	"C:\Users\user\Desktop\kas.exe"
Size:	1218405
MD5:	911E5EA2603B4A7DC17BF847DDA0F6F9
Time:	23:19:52
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	782336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\kas.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3180
Target ID:	2
Parent PID:	4564
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\kas.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	23:19:53
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pgsu.co.id

unknown

http://r10.o.lencr.org0#

unknown

Details

Name:	http://r10.o.lencr.org0#
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4477300275.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474819256.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475701105.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

http://mail.pgsu.co.id

unknown

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4477300275.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474819256.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475701105.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

http://r10.i.lencr.org/0

unknown

Details

Name:	http://r10.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4477300275.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474819256.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475701105.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

pgsu.co.id

107.178.108.41

Details

Name:	pgsu.co.id
IP:	107.178.108.41
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.pgsu.co.id

unknown

Details

Name:	mail.pgsu.co.id
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

107.178.108.41

pgsu.co.id

United States

Details

IP:	107.178.108.41
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	53755
ASN name:	IOFLOODUS
Private:	false
Domain:	pgsu.co.id

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

system

page execute and read and write

2E51000

trusted library allocation

page read and write

AB0000

direct allocation

page read and write

2E9E000

trusted library allocation

page read and write

2EC9000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

B2A000

heap

page read and write

418D000

heap

page read and write

4096000

heap

page read and write

3A3F000

stack

page read and write

418D000

heap

page read and write

2C42000

trusted library allocation

page read and write

2C2C000

stack

page read and write

1078000

heap

page read and write

8FE000

stack

page read and write

418D000

heap

page read and write

564E000

unkown

page read and write

68CE000

stack

page read and write

4580000

direct allocation

page read and write

3FB3000

heap

page read and write

4096000

heap

page read and write

2C3B000

trusted library allocation

page read and write

3E79000

trusted library allocation

page read and write

41EF000

heap

page read and write

41C7000

heap

page read and write

3F9C000

heap

page read and write

62FB000

trusted library allocation

page read and write

490000

unkown

page read and write

48BE000

direct allocation

page read and write

406D000

heap

page read and write

8AF000

stack

page read and write

2C51000

trusted library allocation

page read and write

126E000

stack

page read and write

58D0000

trusted library allocation

page execute and read and write

410E000

heap

page read and write

63CD000

stack

page read and write

4A7000

unkown

page read and write

2C5D000

trusted library allocation

page read and write

418D000

heap

page read and write

128D000

trusted library allocation

page execute and read and write

4849000

direct allocation

page read and write

9A000

stack

page read and write

41EF000

heap

page read and write

41EF000

heap

page read and write

4720000

direct allocation

page read and write

4720000

direct allocation

page read and write

1296000

trusted library allocation

page execute and read and write

419F000

heap

page read and write

12A2000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

4580000

direct allocation

page read and write

46A3000

direct allocation

page read and write

B5D000

heap

page read and write

418D000

heap

page read and write

1162000

heap

page read and write

62ED000

stack

page read and write

418D000

heap

page read and write

3B46000

heap

page read and write

533C000

trusted library allocation

page read and write

1292000

trusted library allocation

page read and write

48BE000

direct allocation

page read and write

670E000

stack

page read and write

5300000

heap

page execute and read and write

104E000

stack

page read and write

58C6000

trusted library allocation

page read and write

3F3F000

heap

page read and write

4580000

direct allocation

page read and write

4033000

heap

page read and write

418D000

heap

page read and write

4720000

direct allocation

page read and write

41EF000

heap

page read and write

171E000

stack

page read and write

1300000

heap

page read and write

46A3000

direct allocation

page read and write

1102000

heap

page read and write

418D000

heap

page read and write

B52000

heap

page read and write

B80000

heap

page read and write

131F000

stack

page read and write

4849000

direct allocation

page read and write

970000

heap

page read and write

6219000

heap

page read and write

129A000

trusted library allocation

page execute and read and write

12A5000

trusted library allocation

page execute and read and write

2EB7000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

69CF000

stack

page read and write

46A3000

direct allocation

page read and write

4849000

direct allocation

page read and write

4849000

direct allocation

page read and write

58B0000

trusted library allocation

page read and write

6B10000

heap

page read and write

2EC5000

trusted library allocation

page read and write

12D0000

trusted library allocation

page execute and read and write

93E000

stack

page read and write

41EF000

heap

page read and write

12C0000

trusted library allocation

page read and write

2EE0000

trusted library allocation

page read and write

41EF000

heap

page read and write

4849000

direct allocation

page read and write

5344000

heap

page read and write

406D000

heap

page read and write

3F3B000

heap

page read and write

4096000

heap

page read and write

484D000

direct allocation

page read and write

58F0000

trusted library allocation

page execute and read and write

2C56000

trusted library allocation

page read and write

4580000

direct allocation

page read and write

658D000

stack

page read and write

48BE000

direct allocation

page read and write

3F4C000

heap

page read and write

484D000

direct allocation

page read and write

995000

heap

page read and write

3CB2000

heap

page read and write

2C4E000

trusted library allocation

page read and write

940000

heap

page read and write

3F84000

heap

page read and write

400000

unkown

page readonly

41CA000

heap

page read and write

52DC000

stack

page read and write

4070000

heap

page read and write

AA0000

heap

page read and write

66CE000

stack

page read and write

108E000

heap

page read and write

46A3000

direct allocation

page read and write

2C30000

trusted library allocation

page read and write

482000

unkown

page readonly

134E000

stack

page read and write

621C000

heap

page read and write

418D000

heap

page read and write

12AB000

trusted library allocation

page execute and read and write

46A3000

direct allocation

page read and write

418D000

heap

page read and write

FD0000

heap

page read and write

4F4D000

stack

page read and write

A10000

heap

page read and write

1000000

heap

page read and write

5340000

heap

page read and write

990000

heap

page read and write

4116000

heap

page read and write

1290000

trusted library allocation

page read and write

61B0000

heap

page read and write

12E0000

trusted library allocation

page read and write

418C000

heap

page read and write

1E0000

heap

page read and write

554C000

stack

page read and write

10E9000

heap

page read and write

10A5000

heap

page read and write

B1A000

stack

page read and write

3E51000

trusted library allocation

page read and write

638E000

stack

page read and write

12F0000

trusted library allocation

page read and write

2E9C000

trusted library allocation

page read and write

18E0000

heap

page read and write

5320000

trusted library allocation

page read and write

1270000

trusted library allocation

page read and write

4720000

direct allocation

page read and write

1274000

trusted library allocation

page read and write

A5E000

stack

page read and write

A14000

heap

page read and write

41EF000

heap

page read and write

4580000

direct allocation

page read and write

5350000

heap

page read and write

4096000

heap

page read and write

4AB000

unkown

page readonly

2BEE000

stack

page read and write

41EF000

heap

page read and write

4116000

heap

page read and write

3FD9000

heap

page read and write

6B20000

trusted library allocation

page read and write

48BE000

direct allocation

page read and write

58B7000

trusted library allocation

page read and write

3D70000

heap

page read and write

AA5000

heap

page read and write

EF8000

stack

page read and write

482000

unkown

page readonly

1280000

trusted library allocation

page read and write

484D000

direct allocation

page read and write

418D000

heap

page read and write

406E000

heap

page read and write

4096000

heap

page read and write

490000

unkown

page write copy

4849000

direct allocation

page read and write

410E000

heap

page read and write

B90000

heap

page read and write

3EB9000

trusted library allocation

page read and write

89F000

stack

page read and write

400000

system

page execute and read and write

2C80000

heap

page execute and read and write

41EF000

heap

page read and write

2D40000

heap

page read and write

3CE0000

heap

page read and write

1070000

heap

page read and write

62F0000

trusted library allocation

page read and write

41B6000

heap

page read and write

4720000

direct allocation

page read and write

B2E000

heap

page read and write

406E000

heap

page read and write

2C3E000

trusted library allocation

page read and write

1273000

trusted library allocation

page execute and read and write

41EF000

heap

page read and write

484D000

direct allocation

page read and write

6B30000

trusted library allocation

page execute and read and write

4249000

heap

page read and write

10A7000

heap

page read and write

41EF000

heap

page read and write

6B0D000

stack

page read and write

3A40000

heap

page read and write

484D000

direct allocation

page read and write

2ED1000

trusted library allocation

page read and write

3E70000

heap

page read and write

4720000

direct allocation

page read and write

7FA00000

trusted library allocation

page execute and read and write

6E00000

heap

page read and write

401000

unkown

page execute read

B85000

heap

page read and write

1060000

trusted library allocation

page read and write

48BE000

direct allocation

page read and write

4580000

direct allocation

page read and write

401000

unkown

page execute read

12A7000

trusted library allocation

page execute and read and write

484D000

direct allocation

page read and write

65CE000

stack

page read and write

48BE000

direct allocation

page read and write

2C70000

trusted library allocation

page read and write

4248000

heap

page read and write

1134000

heap

page read and write

41C6000

heap

page execute and read and write

9DE000

stack

page read and write

3FBE000

heap

page read and write

4AB000

unkown

page readonly

5328000

trusted library allocation

page read and write

363E000

stack

page read and write

109A000

heap

page read and write

6A0E000

stack

page read and write

46A3000

direct allocation

page read and write

A80000

heap

page read and write

2E4E000

stack

page read and write

674F000

stack

page read and write

2D30000

trusted library allocation

page read and write

6B40000

heap

page read and write

2C98000

trusted library allocation

page read and write

1144000

heap

page read and write

400000

unkown

page readonly

4471000

heap

page read and write

4096000

heap

page read and write

127D000

trusted library allocation

page execute and read and write

5330000

trusted library allocation

page read and write

100000

heap

page read and write

BE0000

heap

page read and write

418D000

heap

page read and write

B20000

heap

page read and write

There are 242 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
kas.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportkas.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
kas.exe