Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\vNenBbeRFZ.exe

"C:\Users\user\Desktop\vNenBbeRFZ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6476
Target ID:	0
Parent PID:	2580
Name:	vNenBbeRFZ.exe
Path:	C:\Users\user\Desktop\vNenBbeRFZ.exe
Commandline:	"C:\Users\user\Desktop\vNenBbeRFZ.exe"
Size:	14848
MD5:	D5B1B322CA3997B573D687FDD9B4DF96
Time:	22:18:59
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected ReflectiveLoader	Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

47.239.242.141

http://47.239.242.141/BQPy

http://47.239.242.141:9999/ga.js

47.239.242.141

http://47.239.242.141:9999/BQPy

47.239.242.141

http://47.239.242.141:9999/ga.jskX

unknown

http://47.239.242.141:9999/ga.jslu

unknown

http://47.239.242.141:9999/BQPyHPe)

unknown

http://47.239.242.141:9999/ga.jsl

unknown

http://47.239.242.141:9999/ga.jsl#

unknown

http://47.239.242.141:9999/BQPy%

unknown

http://47.239.242.141:9999/BQPygP

unknown

http://47.239.242.141:9999/ga.jslGX

unknown

http://47.239.242.141:9999/ga.jslqX

unknown

http://127.0.0.1:%u/

unknown

http://47.239.242.141:9999/ga.jsSX

unknown

http://47.239.242.141:9999/ga.jsot

unknown

http://47.239.242.141:9999/ga.jsW

unknown

There are 7 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

47.239.242.141

unknown

United States

Details

IP:	47.239.242.141
TargetID:	0
Current Path:	C:\Users\user\Desktop\vNenBbeRFZ.exe
Country:	United States
Countrycode:	USA
ASN number:	20115
ASN name:	CHARTER-20115US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3970000

direct allocation

page execute and read and write

110000

direct allocation

page execute read

3D70000

direct allocation

page execute and read and write

349B000

stack

page read and write

719000

heap

page read and write

71E000

heap

page read and write

1FC000

stack

page read and write

A20000

heap

page read and write

A0F000

stack

page read and write

325F000

stack

page read and write

3F20000

heap

page read and write

34DE000

stack

page read and write

75C000

heap

page read and write

130000

heap

page read and write

AFE000

stack

page read and write

401000

unkown

page execute read

F7D000

stack

page read and write

100000

heap

page read and write

372E000

stack

page read and write

403000

unkown

page write copy

401000

unkown

page execute read

60E000

stack

page read and write

400000

unkown

page readonly

785000

heap

page read and write

3DAD000

direct allocation

page execute and read and write

400000

unkown

page readonly

3EE0000

direct allocation

page execute read

3EE1000

direct allocation

page execute and read and write

3DA4000

direct allocation

page execute and read and write

77E000

heap

page read and write

36DE000

stack

page read and write

F0000

heap

page read and write

403000

unkown

page read and write

3F30000

heap

page read and write

329E000

stack

page read and write

305F000

stack

page read and write

406000

unkown

page write copy

3ED0000

heap

page read and write

404000

unkown

page readonly

B70000

heap

page read and write

3F34000

heap

page read and write

3DAF000

direct allocation

page execute and read and write

B5E000

stack

page read and write

135000

heap

page read and write

406000

unkown

page read and write

9D000

stack

page read and write

404000

unkown

page readonly

775000

heap

page read and write

392E000

stack

page read and write

3F38000

heap

page read and write

710000

heap

page read and write

17E000

stack

page read and write

39A4000

direct allocation

page execute and read and write

3F32000

heap

page read and write

3DA6000

direct allocation

page execute and read and write

There are 45 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
vNenBbeRFZ.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportvNenBbeRFZ.exe

Processes

URLs

IPs

Memdumps

IOC Report
vNenBbeRFZ.exe