Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VBqmdl6ttr.exe

"C:\Users\user\Desktop\VBqmdl6ttr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5536
Target ID:	0
Parent PID:	2592
Name:	VBqmdl6ttr.exe
Path:	C:\Users\user\Desktop\VBqmdl6ttr.exe
Commandline:	"C:\Users\user\Desktop\VBqmdl6ttr.exe"
Size:	384000
MD5:	4139A824287596151A7FBC2E357A33AD
Time:	03:11:32
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f72d0000
Modulesize:	425984
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

20.25.126.96

https://20.25.126.96:443/cm

unknown

https://20.25.126.96/m

unknown

https://20.25.126.96/cmf

unknown

http://127.0.0.1:%u/

unknown

https://20.25.126.96/

unknown

https://20.25.126.96/cm

unknown

https://20.25.126.96/6

unknown

https://20.25.126.96/cmr

unknown

https://20.25.126.96/4

unknown

https://20.25.126.96/cmD

unknown

There are 1 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

20.25.126.96

unknown

United States

Details

IP:	20.25.126.96
TargetID:	0
Current Path:	C:\Users\user\Desktop\VBqmdl6ttr.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

1D7C96A0000

direct allocation

page execute and read and write

1D7C93F0000

unclassified section

page execute read

1D7C9475000

heap

page read and write

1D7C9497000

heap

page read and write

1D7C94CB000

heap

page read and write

1D7C94C2000

heap

page read and write

1D7C94BC000

heap

page read and write

7FF7F7336000

unkown

page readonly

1D7C94B9000

heap

page read and write

7FF7F72D4000

unkown

page write copy

1D7C94CB000

heap

page read and write

1D7C94CB000

heap

page read and write

7FF7F7336000

unkown

page readonly

1D7C94B9000

heap

page read and write

1D7C94C5000

heap

page read and write

1D7C9493000

heap

page read and write

1D7C94B3000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C96E8000

direct allocation

page execute and read and write

1D7C94B9000

heap

page read and write

1D7C93D0000

heap

page read and write

1D7C9680000

remote allocation

page read and write

1D7C94A4000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C9491000

heap

page read and write

7FF7F732D000

unkown

page readonly

1D7C9481000

heap

page read and write

1D7C947C000

heap

page read and write

1D7C9491000

heap

page read and write

7FF7F7333000

unkown

page write copy

3409FF000

stack

page read and write

1D7C9640000

heap

page read and write

1D7C94C5000

heap

page read and write

1D7C94C2000

heap

page read and write

1D7C94C2000

heap

page read and write

3407FD000

stack

page read and write

1D7C947C000

heap

page read and write

1D7C9491000

heap

page read and write

1D7C9477000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C9680000

remote allocation

page read and write

1D7C96F1000

direct allocation

page execute and read and write

7FF7F72D1000

unkown

page execute read

1D7C9446000

heap

page read and write

1D7C9493000

heap

page read and write

1D7C94CB000

heap

page read and write

1D7C94BC000

heap

page read and write

1D7C9497000

heap

page read and write

1D7C94BF000

heap

page read and write

7FF7F72D0000

unkown

page readonly

1D7C9479000

heap

page read and write

1D7C9491000

heap

page read and write

1D7C94B3000

heap

page read and write

1D7C9491000

heap

page read and write

1D7C94B3000

heap

page read and write

1D7C96EE000

direct allocation

page execute and read and write

1D7C9479000

heap

page read and write

1D7C94CB000

heap

page read and write

7FF7F7330000

unkown

page read and write

1D7C94C5000

heap

page read and write

1D7C94C0000

heap

page read and write

1D7C9493000

heap

page read and write

1D7C94B9000

heap

page read and write

1D7C9481000

heap

page read and write

1D7C9482000

heap

page read and write

1D7C9695000

heap

page read and write

1D7C92F0000

heap

page read and write

1D7C94C6000

heap

page read and write

1D7C94C2000

heap

page read and write

1D7C9497000

heap

page read and write

1D7C94C3000

heap

page read and write

1D7C94BB000

heap

page read and write

1D7C9471000

heap

page read and write

1D7C94CB000

heap

page read and write

1D7C94B3000

heap

page read and write

7FF7F7333000

unkown

page read and write

1D7C94C5000

heap

page read and write

1D7C9491000

heap

page read and write

1D7C9540000

heap

page read and write

1D7C96EB000

direct allocation

page execute and read and write

1D7C9481000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C9680000

remote allocation

page read and write

7FF7F72D0000

unkown

page readonly

1D7C94BC000

heap

page read and write

1D7C94C5000

heap

page read and write

3413FE000

stack

page read and write

1D7C947C000

heap

page read and write

1D7C94B9000

heap

page read and write

1D7C9493000

heap

page read and write

1D7C94C2000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C94BC000

heap

page read and write

1D7C94B3000

heap

page read and write

1D7C94CB000

heap

page read and write

1D7C94CB000

heap

page read and write

1D7C9487000

heap

page read and write

1D7C9690000

heap

page read and write

7FF7F72D4000

unkown

page write copy

3415FE000

stack

page read and write

1D7C9457000

heap

page read and write

1D7C94CB000

heap

page read and write

340FFC000

stack

page read and write

1D7C94CB000

heap

page read and write

1D7C9491000

heap

page read and write

1D7C94A4000

heap

page read and write

1D7C9481000

heap

page read and write

7FF7F72D1000

unkown

page execute read

1D7C94B3000

heap

page read and write

1D7C9487000

heap

page read and write

1D7C94B9000

heap

page read and write

1D7C94C5000

heap

page read and write

340BFC000

stack

page read and write

1D7C9440000

heap

page read and write

7FF7F732D000

unkown

page readonly

1D7C944C000

heap

page read and write

3411FD000

stack

page read and write

1D7C947C000

heap

page read and write

1D7C9481000

heap

page read and write

3417FD000

stack

page read and write

There are 110 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VBqmdl6ttr.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVBqmdl6ttr.exe

Processes

URLs

IPs

Memdumps

IOC Report
VBqmdl6ttr.exe