Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

G53ADrk4YR.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.512730398495966
Filename:	G53ADrk4YR.exe
Filesize:	67584
MD5:	e4fdff5a89f062dfad43059a9fbe8d80
SHA1:	3f6615b2421fab68e19f87cf834621cb330c730f
SHA256:	e61d52a9c9e88e95650fcee8c8aca19da6dc97a78703be06cf0b8d08e0aeb012
SHA512:	843bb88e42b4d82d4702fae47dfae078334c4db54e2ce8124f33d319c765058f652b2235604e02ff104d8d306a88ff9618ff51e51f996847e87ed0e2b4227707
SSDEEP:	1536:zmfWSqHdykrVMKuJUYFs1LK1/dMbCYtGSamQRxqmMdrmTGdx:zmeSqHdykGKuJUYFwi1MbfE5/RxqmMdh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................>.... ... ....@.. .......................`............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\G53ADrk4YR.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.996617769952133
Encrypted:	true
Ssdeep:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
Size:	71954
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\G53ADrk4YR.exe
Type:	data
Entropy:	3.1501841598665044
Encrypted:	false
Ssdeep:	6:kKvW9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HZDnLNkPlE99SNxAhUe/3
Size:	328
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\G53ADrk4YR.exe

"C:\Users\user\Desktop\G53ADrk4YR.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5932
Target ID:	0
Parent PID:	2580
Name:	G53ADrk4YR.exe
Path:	C:\Users\user\Desktop\G53ADrk4YR.exe
Commandline:	"C:\Users\user\Desktop\G53ADrk4YR.exe"
Size:	67584
MD5:	E4FDFF5A89F062DFAD43059A9FBE8D80
Time:	14:57:01
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xae0000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

IPs

Domain

Country

Malicious

82.9.14.4

unknown

United Kingdom

Details

IP:	82.9.14.4
TargetID:	0
Current Path:	C:\Users\user\Desktop\G53ADrk4YR.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	5089
ASN name:	NTLGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2E51000

trusted library allocation

page read and write

AE2000

unkown

page readonly

11C0000

heap

page read and write

10F2000

trusted library allocation

page read and write

2E0C000

stack

page read and write

604D000

stack

page read and write

6B3D000

stack

page read and write

5E3E000

stack

page read and write

5DD5000

trusted library allocation

page read and write

5DE9000

trusted library allocation

page read and write

10E0000

trusted library allocation

page read and write

1108000

heap

page read and write

BF0000

heap

page read and write

620C000

stack

page read and write

6F90000

heap

page read and write

EF8000

stack

page read and write

1137000

heap

page read and write

2E20000

heap

page read and write

2E40000

heap

page read and write

F40000

heap

page read and write

638E000

stack

page read and write

5DC6000

trusted library allocation

page read and write

6000000

trusted library allocation

page read and write

2EEB000

trusted library allocation

page read and write

5BA0000

heap

page read and write

6D3E000

stack

page read and write

568E000

stack

page read and write

AE0000

unkown

page readonly

10C0000

trusted library allocation

page read and write

63CC000

stack

page read and write

105E000

stack

page read and write

634E000

stack

page read and write

10E6000

trusted library allocation

page execute and read and write

1410000

trusted library allocation

page read and write

11E2000

heap

page read and write

5DB4000

trusted library allocation

page read and write

5DF0000

trusted library allocation

page read and write

5388000

heap

page read and write

3308000

trusted library allocation

page read and write

10C3000

trusted library allocation

page execute and read and write

2DAF000

stack

page read and write

2E10000

trusted library allocation

page read and write

3E59000

trusted library allocation

page read and write

112A000

heap

page read and write

10CD000

trusted library allocation

page execute and read and write

53A0000

trusted library allocation

page read and write

11D1000

heap

page read and write

5DEB000

trusted library allocation

page read and write

53A7000

trusted library allocation

page read and write

145E000

stack

page read and write

5DA4000

trusted library allocation

page read and write

B8C000

stack

page read and write

11BC000

heap

page read and write

539E000

heap

page read and write

52A0000

heap

page read and write

3181000

trusted library allocation

page read and write

4F4E000

stack

page read and write

1135000

heap

page read and write

608E000

stack

page read and write

11A2000

heap

page read and write

13FF000

stack

page read and write

11CF000

heap

page read and write

53B0000

heap

page execute and read and write

10EA000

trusted library allocation

page execute and read and write

11ED000

heap

page read and write

644C000

stack

page read and write

640C000

stack

page read and write

578E000

stack

page read and write

111E000

heap

page read and write

F45000

heap

page read and write

10F0000

trusted library allocation

page read and write

550C000

stack

page read and write

11F9000

heap

page read and write

3E51000

trusted library allocation

page read and write

F3E000

stack

page read and write

10FB000

trusted library allocation

page execute and read and write

5FDE000

stack

page read and write

539B000

heap

page read and write

1100000

heap

page read and write

564E000

stack

page read and write

630D000

stack

page read and write

1507000

heap

page read and write

1500000

heap

page read and write

1060000

heap

page read and write

1468000

trusted library allocation

page read and write

10E2000

trusted library allocation

page read and write

5DE0000

trusted library allocation

page read and write

2DB0000

trusted library allocation

page execute and read and write

6C3E000

stack

page read and write

3E57000

trusted library allocation

page read and write

10F7000

trusted library allocation

page execute and read and write

12FE000

stack

page read and write

10D0000

trusted library allocation

page read and write

2DC0000

heap

page execute and read and write

6F80000

heap

page read and write

7FAD0000

trusted library allocation

page execute and read and write

554E000

stack

page read and write

1070000

heap

page read and write

10C4000

trusted library allocation

page read and write

540E000

stack

page read and write

57CE000

stack

page read and write

10B0000

trusted library allocation

page read and write

5316000

heap

page read and write

58CE000

stack

page read and write

5DC9000

trusted library allocation

page read and write

1067000

heap

page read and write

11CD000

heap

page read and write

5390000

heap

page read and write

317F000

trusted library allocation

page read and write

There are 99 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
G53ADrk4YR.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportG53ADrk4YR.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
G53ADrk4YR.exe