Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\KKFBFCAFCBKF\AFCBFI

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBFCAFCBKF\AKKKFB

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KKFBFCAFCBKF\AKKKFB-shm

data

dropped

C:\ProgramData\KKFBFCAFCBKF\CAAKFI

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KKFBFCAFCBKF\DAECAE

ASCII text, with very long lines (1743), with CRLF line terminators

modified

C:\ProgramData\KKFBFCAFCBKF\DAKJDH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\KKFBFCAFCBKF\DHCGID

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBFCAFCBKF\EBKKKE

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\KKFBFCAFCBKF\HDBGHI

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBFCAFCBKF\HIIIJD

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\KKFBFCAFCBKF\HIIIJD-shm

data

dropped

C:\ProgramData\KKFBFCAFCBKF\JEGHJK

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\KKFBFCAFCBKF\JKFCBA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sql[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\delays.tmp

ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 19 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5276
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	594296
MD5:	E92D327838D5F6952F612283A2425E24
Time:	21:15:05
Date:	06/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1000000
Modulesize:	598016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2000
Target ID:	1
Parent PID:	5276
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	21:15:06
Date:	06/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x880000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://t.me/ae5ed

unknown

http://lade.petperfectcare.com/mozglue.dll

95.164.90.97

http://lade.petperfectcare.com/sql.dll

95.164.90.97

http://lade.petperfectcare.com/

95.164.90.97

http://lade.petperfectcare.com/msvcp140.dll

95.164.90.97

http://lade.petperfectcare.com/freebl3.dll

95.164.90.97

http://lade.petperfectcare.com/nss3.dll

95.164.90.97

http://lade.petperfectcare.com/softokn3.dll

95.164.90.97

https://steamcommunity.com/profiles/76561199780418869

http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5

unknown

http://lade.petperfectcare.com/vcruntime140.dll

95.164.90.97

https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.

unknown

http://%s%s%s

95.164.90.97

https://duckduckgo.com/chrome_newtab

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://duckduckgo.com/ac/?q=

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://lade.petperfectcare.com/softokn3.dllCiu

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.

unknown

http://lade.petperfectcare.com:80t-Disposition:

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://upx.sf.net

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://lade.petperfectcare.com/freebl3.dllWiy

unknown

https://www.ecosia.org/newtab/

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

http://lade.petperfectcare.com:80/sql.dll

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://cowod.hopto.org_DEBUG.zip/c

unknown

http://lade.petperfectcare.com/sql.dllIs

unknown

https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://lade.petperfectcare.com/y

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://lade.petperfectcare.com/softokn3.dll3i%

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL

unknown

https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477

unknown

https://support.mozilla.org

unknown

http://lade.petperfectcare.com:80

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://www.sqlite.org/copyright.html.

unknown

There are 35 hidden URLs, click here to show them.

Domains

Name

Malicious

lade.petperfectcare.com

95.164.90.97

Details

Name:	lade.petperfectcare.com
IP:	95.164.90.97
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

s-part-0017.t-0009.t-msedge.net

13.107.246.45

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

95.164.90.97

lade.petperfectcare.com

Gibraltar

Details

IP:	95.164.90.97
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Gibraltar
Countrycode:	GIB
ASN number:	39762
ASN name:	VAKPoltavaUkraineUA
Private:	false
Domain:	lade.petperfectcare.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

102C000

unkown

page read and write

400000

remote allocation

page execute and read and write

4A18B000

stack

page read and write

C177000

heap

page read and write

203D8000

heap

page read and write

1075000

heap

page read and write

19C7F000

heap

page read and write

15C0000

heap

page read and write

102C000

unkown

page write copy

10CE000

heap

page read and write

10F8000

heap

page read and write

10D5000

heap

page read and write

463000

remote allocation

page execute and read and write

E98000

heap

page read and write

4A80B000

stack

page read and write

A3A0000

heap

page read and write

19DE9000

heap

page read and write

19CA9000

heap

page read and write

1735F000

stack

page read and write

A48E000

heap

page read and write

14C9E000

stack

page read and write

16B0000

heap

page read and write

108F000

unkown

page readonly

154E000

stack

page read and write

3E107000

heap

page read and write

CF0000

stack

page read and write

4F400000

trusted library allocation

page read and write

19BA9000

heap

page read and write

19CA2000

heap

page read and write

1001000

unkown

page execute read

CEE000

stack

page read and write

10FB000

heap

page read and write

1FE28000

direct allocation

page readonly

10D9000

heap

page read and write

4A56C000

stack

page read and write

19BA0000

heap

page read and write

1115000

heap

page read and write

1FE52000

direct allocation

page read and write

1FE5A000

direct allocation

page readonly

C180000

heap

page read and write

F0C000

heap

page read and write

19C13000

heap

page read and write

6C51E000

unkown

page read and write

4F4B5000

heap

page read and write

6C50D000

unkown

page readonly

4F4E6000

heap

page read and write

CEC000

stack

page read and write

198FC000

stack

page read and write

19AF000

stack

page read and write

2C2B8000

heap

page read and write

E70000

heap

page read and write

4F4DC000

heap

page read and write

46B000

remote allocation

page execute and read and write

1002000

heap

page read and write

173BC000

stack

page read and write

6C6CF000

unkown

page readonly

4F4B0000

heap

page read and write

4F4C1000

heap

page read and write

1FE1D000

direct allocation

page execute read

11B0000

heap

page read and write

51850000

heap

page read and write

2634C000

heap

page read and write

6C715000

unkown

page readonly

4B3000

remote allocation

page execute and read and write

10D1000

heap

page read and write

114A000

heap

page read and write

116E000

heap

page read and write

656000

remote allocation

page execute and read and write

119D000

stack

page read and write

1FC18000

direct allocation

page execute read

19B90000

heap

page read and write

C260000

unclassified section

page read and write

1FFBD000

heap

page read and write

112F000

heap

page read and write

56B000

remote allocation

page execute and read and write

1FC10000

direct allocation

page execute and read and write

10EA000

heap

page read and write

A43D000

stack

page read and write

A47E000

stack

page read and write

4F4E2000

heap

page read and write

1FC11000

direct allocation

page execute read

11A3000

heap

page read and write

19C0B000

heap

page read and write

19AA0000

heap

page read and write

1275F000

stack

page read and write

94C000

stack

page read and write

EDA000

heap

page read and write

1022000

unkown

page readonly

19C1B000

heap

page read and write

4A50C000

stack

page read and write

10E8000

heap

page read and write

4F4EA000

heap

page read and write

4D2000

remote allocation

page execute and read and write

1725E000

stack

page read and write

6C70E000

unkown

page read and write

FF010000

trusted library allocation

page execute read

1000000

unkown

page readonly

6C530000

unkown

page readonly

1B60000

heap

page read and write

F29000

heap

page read and write

9B0000

heap

page read and write

6C490000

unkown

page readonly

19BCB000

heap

page read and write

6C70F000

unkown

page write copy

171DD000

stack

page read and write

10A0000

heap

page read and write

4F3EF000

stack

page read and write

19BB9000

heap

page read and write

6C710000

unkown

page read and write

10E3000

heap

page read and write

19A9C000

stack

page read and write

1173000

heap

page read and write

4F4DE000

heap

page read and write

51402000

trusted library allocation

page read and write

1009000

heap

page read and write

C160000

heap

page read and write

4F4C5000

heap

page read and write

16BA000

heap

page read and write

4A66F000

stack

page read and write

1019000

heap

page read and write

6C522000

unkown

page readonly

1FE5F000

direct allocation

page readonly

19E07000

heap

page read and write

19B5B000

stack

page read and write

A3FE000

stack

page read and write

EF5000

heap

page read and write

1FE5D000

direct allocation

page readonly

FAD000

stack

page read and write

3222B000

heap

page read and write

494000

remote allocation

page execute and read and write

E90000

heap

page read and write

467000

remote allocation

page execute and read and write

1999B000

stack

page read and write

1001000

unkown

page execute read

1022000

unkown

page readonly

4A90D000

stack

page read and write

1FE1F000

direct allocation

page readonly

19EB0000

heap

page read and write

150E000

stack

page read and write

1FD76000

direct allocation

page execute read

18AF000

stack

page read and write

A487000

heap

page read and write

4A402000

stack

page read and write

19C92000

heap

page read and write

10FF000

heap

page read and write

48F000

remote allocation

page execute and read and write

6C531000

unkown

page execute read

19C11000

heap

page read and write

1000000

unkown

page readonly

E10000

heap

page read and write

108C000

unkown

page execute and read and write

CFC000

stack

page read and write

108F000

unkown

page readonly

A480000

heap

page read and write

4F4BA000

heap

page read and write

1FF15000

heap

page read and write

11C0000

heap

page read and write

1FE78000

heap

page read and write

10F2000

heap

page read and write

670000

remote allocation

page execute and read and write

4CEAE000

stack

page read and write

108E000

unkown

page read and write

19EAE000

heap

page read and write

6C491000

unkown

page execute read

16BE000

heap

page read and write

F69000

heap

page read and write

3819C000

heap

page read and write

4F4D3000

heap

page read and write

There are 158 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe