Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JFFjXW16yR.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.7996497074177755
Filename:	JFFjXW16yR.exe
Filesize:	399872
MD5:	074c4994bc41a053e18c4e5d37e5b62b
SHA1:	47947622d88d6881f85bae692a3d4202f04bcb03
SHA256:	d9571b8bc83fb768f27c1a7e0565d16c5ebd9508e4c6d9c15474d2c53df99e93
SHA512:	87b4ba11e006ba455d639fb3f21aa29860d83a5aef8ec3b3ac7214be20fc342a41b0a7ce16cea896dd05d9ba9a01aa93164066f8b69496464e0334568ccdb2c1
SSDEEP:	6144:8BcqRsX8d8Vnw1qiyqmYZ6qW51bxOk/nz8DbqS:8pSSqiRZO5XOUzge
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................n/... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFFjXW16yR.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFFjXW16yR.exe.log
Category:	dropped
Dump:	JFFjXW16yR.exe.log.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
Type:	CSV text
Entropy:	5.354334472896228
Encrypted:	false
Ssdeep:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQEAHKKkKYHKGSI6oPtHTH0
Size:	847
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\tmp18BD.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmp18BD.tmp.dat
Category:	dropped
Dump:	tmp18BD.tmp.dat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Entropy:	0.8553638852307782
Encrypted:	false
Ssdeep:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
Size:	40960
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\tmp18ED.tmp.dat

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmp18ED.tmp.dat
Category:	dropped
Dump:	tmp18ED.tmp.dat.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Entropy:	0.8180424350137764
Encrypted:	false
Ssdeep:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
Size:	49152
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\loginFile.db

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\loginFile.db
Category:	dropped
Dump:	loginFile.db.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\JFFjXW16yR.exe
Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Entropy:	0.8180424350137764
Encrypted:	false
Ssdeep:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
Size:	49152
Whitelisted:	true
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\JFFjXW16yR.exe

"C:\Users\user\Desktop\JFFjXW16yR.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2944
Target ID:	0
Parent PID:	2580
Name:	JFFjXW16yR.exe
Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Commandline:	"C:\Users\user\Desktop\JFFjXW16yR.exe"
Size:	399872
MD5:	074C4994BC41A053E18C4E5D37E5B62B
Time:	07:51:59
Date:	08/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf00000
Modulesize:	425984
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected DarkCloud	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2256
Target ID:	1
Parent PID:	2944
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:51:59
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.telegram.org

unknown

Details

Name:	https://api.telegram.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Source:	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.telegram.org/bot

unknown

Details

Name:	https://api.telegram.org/bot
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Source:	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00

149.154.167.220

Details

Name:	https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00
IP:	149.154.167.220
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333

unknown

Details

Name:	https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Source:	JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003663000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.telegram.org/botE7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5UF/sendDocument?chat_id=G6

unknown

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	0
Current Path:	C:\Users\user\Desktop\JFFjXW16yR.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JFFjXW16yR_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3421000

trusted library allocation

page read and write

F02000

unkown

page readonly

3552000

trusted library allocation

page read and write

1BECE000

stack

page read and write

7FFD9B710000

trusted library allocation

page execute and read and write

36B4000

trusted library allocation

page read and write

16B5000

heap

page read and write

F00000

unkown

page readonly

7FFD9B663000

trusted library allocation

page read and write

3210000

heap

page read and write

315E000

stack

page read and write

3531000

trusted library allocation

page read and write

7FFD9B82D000

trusted library allocation

page read and write

1BDC0000

heap

page execute and read and write

1493000

heap

page read and write

7FFD9B820000

trusted library allocation

page read and write

F64000

unkown

page readonly

1450000

heap

page read and write

3658000

trusted library allocation

page read and write

1C60D000

stack

page read and write

13F0000

heap

page read and write

147A000

heap

page read and write

7FFD9B670000

trusted library allocation

page read and write

1BCDF000

stack

page read and write

F00000

unkown

page readonly

7FFD9B67D000

trusted library allocation

page execute and read and write

3663000

trusted library allocation

page read and write

1BFDA000

heap

page read and write

7FFD9B650000

trusted library allocation

page read and write

7FFD9B800000

trusted library allocation

page execute and read and write

14C0000

heap

page read and write

17BE000

stack

page read and write

7FFD9B870000

trusted library allocation

page execute and read and write

13421000

trusted library allocation

page read and write

7FFD9B66D000

trusted library allocation

page execute and read and write

14D7000

heap

page read and write

1456000

heap

page read and write

14C4000

heap

page read and write

7FFD9B700000

trusted library allocation

page read and write

3655000

trusted library allocation

page read and write

FF0000

heap

page read and write

164E000

stack

page read and write

7FF42F990000

trusted library allocation

page execute and read and write

1420000

heap

page read and write

12E3000

stack

page read and write

7FFD9B736000

trusted library allocation

page execute and read and write

1410000

heap

page read and write

354C000

trusted library allocation

page read and write

7FFD9B770000

trusted library allocation

page execute and read and write

7FFD9B654000

trusted library allocation

page read and write

1BFCE000

stack

page read and write

1670000

trusted library allocation

page read and write

3679000

trusted library allocation

page read and write

1BFD0000

heap

page read and write

1690000

trusted library allocation

page read and write

7FFD9B706000

trusted library allocation

page read and write

3693000

trusted library allocation

page read and write

7FFD9B653000

trusted library allocation

page execute and read and write

1520000

heap

page read and write

7FFD9B67B000

trusted library allocation

page execute and read and write

352D000

trusted library allocation

page read and write

7FFD9B70C000

trusted library allocation

page execute and read and write

1C40E000

stack

page read and write

1B89C000

stack

page read and write

1C70F000

stack

page read and write

16B0000

heap

page read and write

36B8000

trusted library allocation

page read and write

1C029000

heap

page read and write

7FFD9B850000

trusted library allocation

page read and write

1504000

heap

page read and write

1490000

heap

page read and write

1415000

heap

page read and write

7FFD9B65D000

trusted library allocation

page execute and read and write

3410000

heap

page execute and read and write

7FFD9B810000

trusted library allocation

page read and write

7FFD9B840000

trusted library allocation

page read and write

7FFD9B652000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page read and write

1342B000

trusted library allocation

page read and write

13D0000

heap

page read and write

1534000

heap

page read and write

1C30E000

stack

page read and write

7FFD9B7F0000

trusted library allocation

page read and write

1C50E000

stack

page read and write

145C000

heap

page read and write

36BC000

trusted library allocation

page read and write

18BE000

stack

page read and write

36A6000

trusted library allocation

page read and write

7FFD9B860000

trusted library allocation

page read and write

7FFD9B6AC000

trusted library allocation

page execute and read and write

7FFD9B674000

trusted library allocation

page read and write

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
JFFjXW16yR.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJFFjXW16yR.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
JFFjXW16yR.exe