Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\tfSYi9zABT.exe

"C:\Users\user\Desktop\tfSYi9zABT.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6676
Target ID:	0
Parent PID:	2580
Name:	tfSYi9zABT.exe
Path:	C:\Users\user\Desktop\tfSYi9zABT.exe
Commandline:	"C:\Users\user\Desktop\tfSYi9zABT.exe"
Size:	355840
MD5:	CEF03024E5B35B5197C1337596109958
Time:	23:58:55
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb00000
Modulesize:	385024
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://ip-api.com/json/

208.95.112.1

Details

Name:	http://ip-api.com/json/
IP:	208.95.112.1
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\tfSYi9zABT.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

~^')}-{#

Details

Name:	~^')}-{#
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\tfSYi9zABT.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://api.ipify.org/

unknown

http://freegeoip.net/xml/

unknown

http://schemas.datacontract.org/2004/07/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

crissnda5.ddns.net

87.121.86.32

Details

Name:	crissnda5.ddns.net
IP:	87.121.86.32
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Details

IP:	208.95.112.1
TargetID:	0
Current Path:	C:\Users\user\Desktop\tfSYi9zABT.exe
Country:	United States
Countrycode:	USA
ASN number:	53334
ASN name:	TUT-ASUS
Private:	false
Domain:	ip-api.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

87.121.86.32

crissnda5.ddns.net

Bulgaria

Details

IP:	87.121.86.32
TargetID:	0
Current Path:	C:\Users\user\Desktop\tfSYi9zABT.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34577
ASN name:	SKATTV-ASBG
Private:	false
Domain:	crissnda5.ddns.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\tfSYi9zABT_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

B02000

unkown

page readonly

7FFD9B770000

trusted library allocation

page read and write

7FFD9B940000

trusted library allocation

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

1B9E2000

heap

page read and write

1B280000

heap

page read and write

106B000

trusted library allocation

page read and write

7FFD9B75D000

trusted library allocation

page execute and read and write

12BE000

stack

page read and write

7FF4DC9A0000

trusted library allocation

page execute and read and write

7FFD9B950000

trusted library allocation

page execute and read and write

1080000

trusted library allocation

page read and write

1060000

trusted library allocation

page read and write

FD0000

heap

page read and write

7FFD9B970000

trusted library allocation

page read and write

1B9E0000

heap

page read and write

1BCAB000

stack

page read and write

7FFD9B77B000

trusted library allocation

page execute and read and write

1B48D000

stack

page read and write

1C2EE000

stack

page read and write

1B7D0000

heap

page read and write

1030000

heap

page read and write

2F01000

trusted library allocation

page read and write

B00000

unkown

page readonly

7FFD9B806000

trusted library allocation

page read and write

7FFD9B980000

trusted library allocation

page read and write

7FFD9B763000

trusted library allocation

page read and write

10FF000

heap

page read and write

10B0000

heap

page read and write

EF4000

stack

page read and write

7FFD9B90D000

trusted library allocation

page read and write

7FFD9B774000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page execute and read and write

2CE0000

heap

page read and write

1130000

heap

page read and write

35AB000

trusted library allocation

page read and write

1BDAE000

stack

page read and write

1BA2C000

heap

page read and write

1C4E9000

stack

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

1BA39000

heap

page read and write

7FFD9B754000

trusted library allocation

page read and write

1090000

trusted library allocation

page read and write

1035000

heap

page read and write

7FFD9B752000

trusted library allocation

page read and write

30B3000

trusted library allocation

page read and write

1C5EA000

stack

page read and write

1B9FF000

heap

page read and write

2DF0000

heap

page read and write

7FFD9B8F0000

trusted library allocation

page read and write

2EFE000

stack

page read and write

1BA28000

heap

page read and write

112A000

heap

page read and write

7FFD9B914000

trusted library allocation

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

7FFD9B80C000

trusted library allocation

page execute and read and write

7FFD9B960000

trusted library allocation

page read and write

1B9D4000

heap

page read and write

7FFD9B990000

trusted library allocation

page read and write

7FFD9B900000

trusted library allocation

page read and write

10B5000

heap

page read and write

1010000

heap

page read and write

1B9B0000

heap

page read and write

7FFD9B870000

trusted library allocation

page execute and read and write

7FFD9B753000

trusted library allocation

page execute and read and write

7FFD9B750000

trusted library allocation

page read and write

7FFD9B96C000

trusted library allocation

page read and write

7FFD9B910000

trusted library allocation

page read and write

7FFD9B7AC000

trusted library allocation

page execute and read and write

1BA18000

heap

page read and write

7FFD9B810000

trusted library allocation

page execute and read and write

12F01000

trusted library allocation

page read and write

2D30000

heap

page execute and read and write

1B9A0000

heap

page execute and read and write

10C9000

heap

page read and write

B5A000

unkown

page readonly

7FFD9B836000

trusted library allocation

page execute and read and write

FF0000

heap

page read and write

7FFD9B906000

trusted library allocation

page read and write

1B8CE000

heap

page read and write

BE0000

heap

page read and write

10E7000

heap

page read and write

10FD000

heap

page read and write

1B9DE000

heap

page read and write

7FFD9B800000

trusted library allocation

page read and write

B00000

unkown

page readonly

7FFD9B930000

trusted library allocation

page execute and read and write

1093000

trusted library allocation

page read and write

10C0000

heap

page read and write

1AF30000

trusted library allocation

page read and write

1B87B000

heap

page read and write

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tfSYi9zABT.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReporttfSYi9zABT.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
tfSYi9zABT.exe