Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DWbCUTdGhV.exe

"C:\Users\user\Desktop\DWbCUTdGhV.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2132
Target ID:	0
Parent PID:	4004
Name:	DWbCUTdGhV.exe
Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Commandline:	"C:\Users\user\Desktop\DWbCUTdGhV.exe"
Size:	182272
MD5:	13B4C5DFF00CF1EA8A635743903E387F
Time:	04:28:18
Date:	08/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	196608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected KoiLoader	Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

https://kionaonline.com/modules/bonslick

unknown

Details

Name:	https://kionaonline.com/modules/bonslick
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Source:	DWbCUTdGhV.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

http://121.127.33.20/fermentum.php

Details

Name:	http://121.127.33.20/fermentum.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

http://121.127.33.20/fermentum.php%temp%

unknown

Details

Name:	http://121.127.33.20/fermentum.php%temp%
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Source:	DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

https://kionaonline.com/modules/bonslick/c

unknown

Details

Name:	https://kionaonline.com/modules/bonslick/c
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Source:	DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

11F1000

direct allocation

page execute read

13BE000

heap

page read and write

135E000

stack

page read and write

7A1000

unkown

page readonly

7AA000

unkown

page readonly

DF0000

heap

page read and write

790000

unkown

page readonly

11FB000

direct allocation

page readonly

791000

unkown

page execute read

791000

unkown

page execute read

D8C000

stack

page read and write

11FC000

direct allocation

page execute and read and write

2D8E000

stack

page read and write

10FC000

stack

page read and write

125E000

stack

page read and write

790000

unkown

page readonly

7A8000

unkown

page read and write

2F7E000

stack

page read and write

7A1000

unkown

page readonly

15AF000

stack

page read and write

7A8000

unkown

page write copy

11F0000

direct allocation

page readonly

2E70000

heap

page read and write

13BA000

heap

page read and write

13B0000

heap

page read and write

7AA000

unkown

page readonly

1210000

heap

page read and write

139E000

stack

page read and write

11D0000

heap

page read and write

There are 19 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DWbCUTdGhV.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDWbCUTdGhV.exe

Processes

URLs

Memdumps

IOC Report
DWbCUTdGhV.exe