Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\HIEBAKEHDHCA\AAAKEB

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

C:\ProgramData\HIEBAKEHDHCA\ECGDAA

SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\HIEBAKEHDHCA\EGCGHC

ASCII text, with very long lines (1809), with CRLF line terminators

modified

C:\ProgramData\HIEBAKEHDHCA\GDBFCG

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\HIEBAKEHDHCA\GDHCGD

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\HIEBAKEHDHCA\GIJDAF

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\HIEBAKEHDHCA\HDBGHD

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\HIEBAKEHDHCA\HDBGHD-shm

data

dropped

C:\ProgramData\HIEBAKEHDHCA\IEHDBG

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\HIEBAKEHDHCA\IEHDBG-shm

data

dropped

C:\ProgramData\HIEBAKEHDHCA\IJECBG

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\delays.tmp

ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 17 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6576
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	594296
MD5:	F285025345A7381FE9A451BFD0E07947
Time:	21:15:07
Date:	06/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	598016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6616
Target ID:	1
Parent PID:	6576
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	21:15:07
Date:	06/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://lade.petperfectcare.com/mozglue.dll

95.164.90.97

http://lade.petperfectcare.com/sql.dll

95.164.90.97

http://lade.petperfectcare.com/

95.164.90.97

http://lade.petperfectcare.com/msvcp140.dll

95.164.90.97

http://lade.petperfectcare.com/freebl3.dll

95.164.90.97

http://lade.petperfectcare.com/nss3.dll

95.164.90.97

http://lade.petperfectcare.com/softokn3.dll

95.164.90.97

https://steamcommunity.com/profiles/76561199780418869

http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5

unknown

http://lade.petperfectcare.com/vcruntime140.dll

95.164.90.97

https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

https://t.me/ae5ed

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg

unknown

http://lade.petperfectcare.com/nss3.dllq

unknown

https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.

unknown

http://lade.petperfectcare.com/softokn3.dll-0

unknown

http://lade.petperfectcare.com:80t-Disposition:

unknown

https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta

unknown

http://upx.sf.net

unknown

http://lade.petperfectcare.com/vcruntime140.dllo

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

http://lade.petperfectcare.com:80/sql.dll

unknown

http://cowod.hopto.org_DEBUG.zip/c

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://support.mozilla.org

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

http://lade.petperfectcare.com:80

unknown

http://lade.petperfectcare.com/sql.dlld

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94

unknown

http://www.sqlite.org/copyright.html.

unknown

http://lade.petperfectcare.com/H

unknown

There are 30 hidden URLs, click here to show them.

Domains

Name

Malicious

lade.petperfectcare.com

95.164.90.97

Details

Name:	lade.petperfectcare.com
IP:	95.164.90.97
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

s-part-0017.t-0009.t-msedge.net

13.107.246.45

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

95.164.90.97

lade.petperfectcare.com

Gibraltar

Details

IP:	95.164.90.97
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Gibraltar
Countrycode:	GIB
ASN number:	39762
ASN name:	VAKPoltavaUkraineUA
Private:	false
Domain:	lade.petperfectcare.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

AAC000

unkown

page read and write

6C5E5000

unkown

page readonly

E3B000

heap

page read and write

1D736000

direct allocation

page execute read

656000

remote allocation

page execute and read and write

B4C000

stack

page read and write

1D7DF000

direct allocation

page readonly

175CB000

heap

page read and write

B5C000

stack

page read and write

1036000

heap

page read and write

175DB000

heap

page read and write

C1D000

stack

page read and write

1742D000

stack

page read and write

FBE000

stack

page read and write

AA2000

unkown

page readonly

494000

remote allocation

page execute and read and write

4D2000

remote allocation

page execute and read and write

1757A000

heap

page read and write

F7F000

stack

page read and write

3590F000

heap

page read and write

4F180000

heap

page read and write

1D7E8000

direct allocation

page readonly

6C59F000

unkown

page readonly

C30000

heap

page read and write

4A0C2000

stack

page read and write

FC5000

heap

page read and write

1200000

heap

page read and write

1D7DD000

direct allocation

page execute read

3B879000

heap

page read and write

4F17A000

heap

page read and write

467000

remote allocation

page execute and read and write

6C361000

unkown

page execute read

17550000

heap

page read and write

14BCE000

stack

page read and write

6C400000

unkown

page readonly

29A2B000

heap

page read and write

A81000

unkown

page execute read

46B000

remote allocation

page execute and read and write

6C5E0000

unkown

page read and write

1D831000

heap

page read and write

17640000

heap

page read and write

1057000

heap

page read and write

D30000

heap

page read and write

A80000

unkown

page readonly

49E3B000

stack

page read and write

BE0000

heap

page read and write

10CF000

heap

page read and write

14C0E000

stack

page read and write

6C3DD000

unkown

page readonly

C3A000

heap

page read and write

B4E000

stack

page read and write

A80000

unkown

page readonly

4F184000

heap

page read and write

FFCE000

stack

page read and write

DC8000

heap

page read and write

10BF000

stack

page read and write

103A000

heap

page read and write

17669000

heap

page read and write

1048000

heap

page read and write

B0E000

unkown

page read and write

102A000

heap

page read and write

17430000

heap

page read and write

1D81A000

direct allocation

page readonly

E57000

heap

page read and write

1072000

heap

page read and write

9B90000

unclassified section

page read and write

4A32F000

stack

page read and write

D70000

heap

page read and write

6C3EE000

unkown

page read and write

1038000

heap

page read and write

14D0F000

stack

page read and write

10A7000

heap

page read and write

6C401000

unkown

page execute read

7D80000

heap

page read and write

48F000

remote allocation

page execute and read and write

1054000

heap

page read and write

6C5DE000

unkown

page read and write

A5C000

stack

page read and write

100CF000

stack

page read and write

7EB7000

heap

page read and write

4F170000

heap

page read and write

DC0000

heap

page read and write

C20000

heap

page read and write

4F189000

heap

page read and write

F5B000

heap

page read and write

510C2000

trusted library allocation

page read and write

6C360000

unkown

page readonly

4CB6E000

stack

page read and write

23AB2000

heap

page read and write

108C000

heap

page read and write

A3D000

stack

page read and write

7EB0000

heap

page read and write

1752B000

stack

page read and write

D7E000

stack

page read and write

1D5D1000

direct allocation

page execute read

B0F000

unkown

page readonly

DA0000

heap

page read and write

177B0000

heap

page read and write

175D8000

heap

page read and write

B0F000

unkown

page readonly

A81000

unkown

page execute read

17569000

heap

page read and write

4F0AF000

stack

page read and write

7D90000

heap

page read and write

17560000

heap

page read and write

7EBE000

heap

page read and write

17652000

heap

page read and write

1268E000

stack

page read and write

1D81D000

direct allocation

page readonly

1729D000

stack

page read and write

51510000

heap

page read and write

6C3F2000

unkown

page readonly

4F175000

heap

page read and write

1D5D8000

direct allocation

page execute read

10CB000

heap

page read and write

6C5DF000

unkown

page write copy

1027000

heap

page read and write

F7F000

heap

page read and write

4A4CC000

stack

page read and write

1D812000

direct allocation

page read and write

4A1CC000

stack

page read and write

E90000

heap

page read and write

B0C000

unkown

page execute and read and write

56B000

remote allocation

page execute and read and write

1264D000

stack

page read and write

FFC30000

trusted library allocation

page execute read

17670000

heap

page read and write

1034000

heap

page read and write

4F18D000

heap

page read and write

17875000

heap

page read and write

AA2000

unkown

page readonly

14D5D000

stack

page read and write

4A5CD000

stack

page read and write

670000

remote allocation

page execute and read and write

4B3000

remote allocation

page execute and read and write

1758B000

heap

page read and write

177CE000

heap

page read and write

4F193000

heap

page read and write

E27000

heap

page read and write

C3E000

heap

page read and write

FED000

heap

page read and write

AAC000

unkown

page write copy

1010B000

stack

page read and write

1DB48000

heap

page read and write

1D5D0000

direct allocation

page execute and read and write

4A22C000

stack

page read and write

17877000

heap

page read and write

E9B000

heap

page read and write

463000

remote allocation

page execute and read and write

E0B000

heap

page read and write

2F99F000

heap

page read and write

BC0000

heap

page read and write

EBB000

heap

page read and write

104F000

heap

page read and write

175D2000

heap

page read and write

1043000

heap

page read and write

1732B000

stack

page read and write

BD0000

heap

page read and write

1D81F000

direct allocation

page readonly

There are 150 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe