Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

0FZVLEdDuc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\KKFBAAFCGIEG\AKEGII

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KKFBAAFCGIEG\AKEGII-shm

data

dropped

C:\ProgramData\KKFBAAFCGIEG\BAFBFC

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\KKFBAAFCGIEG\BFBFBF

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\KKFBAAFCGIEG\BFBFBF-shm

data

dropped

C:\ProgramData\KKFBAAFCGIEG\FHJDGH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBAAFCGIEG\GCGHJE

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\KKFBAAFCGIEG\HIDAKF

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBAAFCGIEG\IDGHDG

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBAAFCGIEG\KFBAEC

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\KKFBAAFCGIEG\KJDGIJ

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\KKFBAAFCGIEG\KKFBAA

ASCII text, with very long lines (1808), with CRLF line terminators

modified

C:\ProgramData\KKFBAAFCGIEG\KKKJKE

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sql[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\delays.tmp

Non-ISO extended-ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 19 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\0FZVLEdDuc.exe

"C:\Users\user\Desktop\0FZVLEdDuc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7556
Target ID:	1
Parent PID:	3968
Name:	0FZVLEdDuc.exe
Path:	C:\Users\user\Desktop\0FZVLEdDuc.exe
Commandline:	"C:\Users\user\Desktop\0FZVLEdDuc.exe"
Size:	594296
MD5:	3BC704412A19E066CD16A241BFF0DD9D
Time:	03:34:13
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	598016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7612
Target ID:	4
Parent PID:	7556
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	03:34:13
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x680000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://lade.petperfectcare.com/mozglue.dll

95.164.90.97

http://lade.petperfectcare.com/nss3.dll

95.164.90.97

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

unknown

http://lade.petperfectcare.com/sql.dll

95.164.90.97

http://lade.petperfectcare.com/

95.164.90.97

http://lade.petperfectcare.com/msvcp140.dll

95.164.90.97

http://lade.petperfectcare.com/freebl3.dll

95.164.90.97

http://lade.petperfectcare.com/softokn3.dll

95.164.90.97

http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5

unknown

http://lade.petperfectcare.com/vcruntime140.dll

95.164.90.97

https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

http://lade.petp&

unknown

https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr

unknown

http://lade.petperfectcare.com:80t-Disposition:

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp

unknown

http://lade.petperfectcare.com:80/sql.dll

unknown

https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg

unknown

http://cowod.hopto.org_DEBUG.zip/c

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://lade.petperfectcare.com/sql.dllT

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta

unknown

http://lade.petperfectcare.com:80

unknown

http://lade.petperfectcare.com/softokn3.dll:s

unknown

http://www.sqlite.org/copyright.html.

unknown

http://lade.petperfectcare.com/nss3.dlli

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://lade.petperfectcare.com/msvcp140.dllr

unknown

http://lade.petperfectcare.com/nss3.dllm

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://upx.sf.net

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64

unknown

http://lade.petperfectcare.com/mozglue.dll~

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://lade.petperfectcare.com/freebl3.dllV

unknown

http://lade.petperfectcare.com/freebl3.dllB

unknown

https://support.mozilla.org

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://lade.petperfectcare.com/mozglue.dllj

unknown

There are 39 hidden URLs, click here to show them.

Domains

Name

Malicious

lade.petperfectcare.com

95.164.90.97

Details

Name:	lade.petperfectcare.com
IP:	95.164.90.97
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

s-part-0017.t-0009.t-msedge.net

13.107.246.45

IPs

Domain

Country

Malicious

95.164.90.97

lade.petperfectcare.com

Gibraltar

Details

IP:	95.164.90.97
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Gibraltar
Countrycode:	GIB
ASN number:	39762
ASN name:	VAKPoltavaUkraineUA
Private:	false
Domain:	lade.petperfectcare.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

FDC000

unkown

page read and write

4F2B5000

heap

page read and write

3B90B000

heap

page read and write

494000

remote allocation

page execute and read and write

C90000

heap

page read and write

4F1DF000

stack

page read and write

FB0000

unkown

page readonly

17385000

heap

page read and write

48F000

remote allocation

page execute and read and write

1096000

heap

page read and write

C9A000

heap

page read and write

1DBEC000

heap

page read and write

7F3E000

heap

page read and write

4F2A5000

heap

page read and write

49F0B000

stack

page read and write

E30000

heap

page read and write

C80000

heap

page read and write

29ABD000

heap

page read and write

176C4000

heap

page read and write

FFBF000

stack

page read and write

6CAC1000

unkown

page execute read

17542000

heap

page read and write

102C000

heap

page read and write

1D7D5000

heap

page read and write

56B000

remote allocation

page execute and read and write

1D70A000

direct allocation

page readonly

103E000

unkown

page read and write

6CB52000

unkown

page readonly

100B000

heap

page read and write

BAA000

heap

page read and write

1043000

heap

page read and write

101A000

heap

page read and write

7B0000

heap

page read and write

1025000

heap

page read and write

6CB60000

unkown

page readonly

14BFF000

stack

page read and write

7EE000

stack

page read and write

4A6FD000

stack

page read and write

6CB3D000

unkown

page readonly

BD0000

heap

page read and write

1001000

heap

page read and write

1747B000

heap

page read and write

74C000

stack

page read and write

4F2CC000

heap

page read and write

17440000

heap

page read and write

4F2D2000

heap

page read and write

1731C000

stack

page read and write

14ABC000

stack

page read and write

6CD3E000

unkown

page read and write

4F2CE000

heap

page read and write

4B3000

remote allocation

page execute and read and write

FB0000

unkown

page readonly

9A80000

unclassified section

page read and write

176A6000

heap

page read and write

1D626000

direct allocation

page execute read

1755F000

heap

page read and write

C70000

heap

page read and write

1D4C1000

direct allocation

page execute read

DFC000

heap

page read and write

1D702000

direct allocation

page read and write

174CB000

heap

page read and write

174BB000

heap

page read and write

17320000

heap

page read and write

1D4C0000

direct allocation

page execute and read and write

4A5FB000

stack

page read and write

AF9000

stack

page read and write

46B000

remote allocation

page execute and read and write

14AFE000

stack

page read and write

511F2000

trusted library allocation

page read and write

463000

remote allocation

page execute and read and write

4D2000

remote allocation

page execute and read and write

E1D000

heap

page read and write

1721B000

stack

page read and write

1D4C8000

direct allocation

page execute read

E17000

heap

page read and write

FEBE000

stack

page read and write

4F2AA000

heap

page read and write

6CCFF000

unkown

page readonly

790000

heap

page read and write

6CD45000

unkown

page readonly

AFD000

stack

page read and write

BA0000

heap

page read and write

E9F000

stack

page read and write

DB0000

heap

page read and write

B3E000

stack

page read and write

1012000

heap

page read and write

17566000

heap

page read and write

CA0000

heap

page read and write

7A0000

heap

page read and write

102E000

heap

page read and write

10BE000

heap

page read and write

1752F000

heap

page read and write

AF1000

stack

page read and write

103C000

unkown

page execute and read and write

2FA2C000

heap

page read and write

1016000

heap

page read and write

1257E000

stack

page read and write

103F000

heap

page read and write

1D6D8000

direct allocation

page readonly

72D000

stack

page read and write

BAE000

heap

page read and write

E22000

heap

page read and write

DB8000

heap

page read and write

17459000

heap

page read and write

4A35C000

stack

page read and write

E79000

heap

page read and write

23B50000

heap

page read and write

51640000

heap

page read and write

6CB4E000

unkown

page read and write

1717E000

stack

page read and write

14C3C000

stack

page read and write

FDC000

unkown

page write copy

4A1F2000

stack

page read and write

7F37000

heap

page read and write

AFD000

stack

page read and write

103F000

unkown

page readonly

3599D000

heap

page read and write

CC0000

heap

page read and write

1D72D000

heap

page read and write

1061000

heap

page read and write

6CAC0000

unkown

page readonly

1253D000

stack

page read and write

4A45F000

stack

page read and write

1D70F000

direct allocation

page readonly

103F000

unkown

page readonly

FFFD000

stack

page read and write

10BB000

heap

page read and write

1D6CD000

direct allocation

page execute read

4F2D6000

heap

page read and write

101F000

heap

page read and write

6CB61000

unkown

page execute read

467000

remote allocation

page execute and read and write

F41000

heap

page read and write

FB1000

unkown

page execute read

1D70D000

direct allocation

page readonly

7F30000

heap

page read and write

4A2FC000

stack

page read and write

4F2DA000

heap

page read and write

6CD40000

unkown

page read and write

4CC9E000

stack

page read and write

1240000

heap

page read and write

D80000

heap

page read and write

FD2000

unkown

page readonly

FF870000

trusted library allocation

page execute read

4F2B1000

heap

page read and write

F9F000

stack

page read and write

4F2C3000

heap

page read and write

1776D000

heap

page read and write

FB1000

unkown

page execute read

656000

remote allocation

page execute and read and write

1038000

heap

page read and write

FDE000

heap

page read and write

1D6CF000

direct allocation

page readonly

F5A000

heap

page read and write

43E3B000

stack

page read and write

174C7000

heap

page read and write

17450000

heap

page read and write

107C000

heap

page read and write

670000

remote allocation

page execute and read and write

4F1F0000

trusted library allocation

page read and write

4F2A0000

heap

page read and write

AED000

stack

page read and write

1028000

heap

page read and write

FD2000

unkown

page readonly

17469000

heap

page read and write

6CD3F000

unkown

page write copy

1776B000

heap

page read and write

There are 158 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0FZVLEdDuc.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0FZVLEdDuc.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
0FZVLEdDuc.exe