Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\a5gvJhukP7.exe

"C:\Users\user\Desktop\a5gvJhukP7.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6436
Target ID:	0
Parent PID:	2580
Name:	a5gvJhukP7.exe
Path:	C:\Users\user\Desktop\a5gvJhukP7.exe
Commandline:	"C:\Users\user\Desktop\a5gvJhukP7.exe"
Size:	135168
MD5:	18579D8151A242CF2E9B69B016479481
Time:	17:11:58
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xba0000
Modulesize:	151552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has a writable .reloc section	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\Desktop\a5gvJhukP7.exe

"C:\Users\user\Desktop\a5gvJhukP7.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6608
Target ID:	1
Parent PID:	6436
Name:	a5gvJhukP7.exe
Path:	C:\Users\user\Desktop\a5gvJhukP7.exe
Commandline:	"C:\Users\user\Desktop\a5gvJhukP7.exe"
Size:	135168
MD5:	18579D8151A242CF2E9B69B016479481
Time:	17:12:02
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xba0000
Modulesize:	151552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has a writable .reloc section	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://tokulances.sitebr.net/jV1.exe

http://67.215.225.205:8080/forum/viewtopic.php

http://ftp.approachit.com/jZy.exe

http://atualizacoes.issqn.net/FhPD.exe

http://67.215.225.205/forum/viewtopic.php

67.215.225.205

http://209.59.219.70/forum/viewtopic.php

http://https://ftp://operawand.dat_Software

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

ftp://http://https://ftp.fireFTPsites.datSeaMonkey

unknown

http://www.ibsensoftware.com/

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://67.215.225.205:8080/forum/viewtopic.phpcv

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://67.215.225.205:8080/forum/viewtopic.phphttp://209.59.219.70/forum/viewtopic.phphttp://ftp.app

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 10 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

67.215.225.205

unknown

United States

Details

IP:	67.215.225.205
TargetID:	1
Current Path:	C:\Users\user\Desktop\a5gvJhukP7.exe
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\WinRAR

HWID

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

BA9000

unkown

page read and write

BAB000

unkown

page read and write

2E9C000

stack

page read and write

11F1000

heap

page read and write

11E7000

heap

page read and write

BA0000

unkown

page readonly

D5B000

stack

page read and write

395E000

stack

page read and write

BAB000

unkown

page write copy

11EA000

heap

page read and write

36DE000

stack

page read and write

11EF000

heap

page read and write

3220000

trusted library allocation

page read and write

3A5F000

stack

page read and write

1290000

heap

page read and write

BA1000

unkown

page execute and write copy

107E000

stack

page read and write

BA1000

unkown

page execute and write copy

11F1000

heap

page read and write

DD0000

heap

page read and write

11FE000

heap

page read and write

11F1000

heap

page read and write

11EA000

heap

page read and write

2ED0000

heap

page read and write

11EA000

heap

page read and write

10C0000

heap

page read and write

11E7000

heap

page read and write

BC2000

unkown

page write copy

10FB000

stack

page read and write

CAB000

stack

page read and write

11EA000

heap

page read and write

2D80000

heap

page read and write

1030000

heap

page read and write

3BAE000

heap

page read and write

11F1000

heap

page read and write

1204000

heap

page read and write

355F000

stack

page read and write

11EC000

heap

page read and write

1020000

heap

page read and write

1010000

heap

page read and write

11EA000

heap

page read and write

11F7000

heap

page read and write

345E000

stack

page read and write

BAB000

unkown

page write copy

BA0000

unkown

page readonly

2F00000

heap

page read and write

381E000

stack

page read and write

138F000

stack

page read and write

11E7000

heap

page read and write

11FE000

heap

page read and write

11E7000

heap

page read and write

1190000

heap

page read and write

341D000

stack

page read and write

11F1000

heap

page read and write

BA0000

unkown

page readonly

11EC000

heap

page read and write

1204000

heap

page read and write

4156000

heap

page read and write

10CE000

heap

page read and write

369F000

stack

page read and write

391F000

stack

page read and write

3A9E000

stack

page read and write

3220000

trusted library allocation

page read and write

BA7000

unkown

page write copy

11F1000

heap

page read and write

BA8000

unkown

page write copy

BA1000

unkown

page execute and write copy

11F1000

heap

page read and write

DAC000

stack

page read and write

10CA000

heap

page read and write

BC4000

unkown

page read and write

11F7000

heap

page read and write

10BE000

stack

page read and write

37DF000

stack

page read and write

2C70000

heap

page read and write

12B0000

heap

page read and write

2D80000

heap

page read and write

11EA000

heap

page read and write

11F1000

heap

page read and write

11EC000

heap

page read and write

BA0000

unkown

page readonly

359E000

stack

page read and write

1198000

heap

page read and write

11EC000

heap

page read and write

148F000

stack

page read and write

11EA000

heap

page read and write

11F1000

heap

page read and write

BA1000

unkown

page execute and write copy

3B9F000

stack

page read and write

BA7000

unkown

page write copy

BA7000

unkown

page write copy

DC0000

heap

page read and write

BA7000

unkown

page read and write

BAB000

unkown

page write copy

12B5000

heap

page read and write

There are 86 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
a5gvJhukP7.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporta5gvJhukP7.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
a5gvJhukP7.exe