Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Qzo7rljbyQ.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.979809290565102
Filename:	Qzo7rljbyQ.exe
Filesize:	347136
MD5:	1ddbc000b99fcedfa0411caa0958a3ce
SHA1:	454c0a25d42ae1c8e2616f757f6652850599aa83
SHA256:	d8d44d10581a16f9dcd963b111ab9329da6c625b6692e1bfe4f653b9ba1a7b77
SHA512:	f9b5b3745ee733eee1cce9afb4a23426290783332bab6feb1ddb6ab5f33c4b90e69fb8fb0986b21298161a44124024bbc0eeeb9694525c85dbc3ec36bbb697c6
SSDEEP:	6144:m22f36dKOCwcLsAWCcPZLIawiX1CMk3olVvmV6eMtexRxVQuH9IrgY:f2f6KOC9LsBCy1X1CMkMvmga3DdIr
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................B..........>`... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Detected PureCrypter Trojan	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Bitcoin Wallet information	Stealing of Sensitive Information
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Qzo7rljbyQ.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.996617769952133
Encrypted:	true
Ssdeep:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
Size:	71954
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

modified

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	modified
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Qzo7rljbyQ.exe
Type:	data
Entropy:	3.245596380966818
Encrypted:	false
Ssdeep:	6:kKfnR9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:XADImsLNkPlE99SNxAhUe/3
Size:	328
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Qzo7rljbyQ.exe

"C:\Users\user\Desktop\Qzo7rljbyQ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6600
Target ID:	0
Parent PID:	2580
Name:	Qzo7rljbyQ.exe
Path:	C:\Users\user\Desktop\Qzo7rljbyQ.exe
Commandline:	"C:\Users\user\Desktop\Qzo7rljbyQ.exe"
Size:	347136
MD5:	1DDBC000B99FCEDFA0411CAA0958A3CE
Time:	03:32:55
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://stackoverflow.com/q/14436606/23354

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://stackoverflow.com/q/2152978/23354rCannot

unknown

https://stackoverflow.com/q/11564914/23354;

unknown

https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe

unknown

https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe

unknown

https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll

unknown

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

IPs

Domain

Country

Malicious

167.88.160.63

unknown

United States

Details

IP:	167.88.160.63
TargetID:	0
Current Path:	C:\Users\user\Desktop\Qzo7rljbyQ.exe
Country:	United States
Countrycode:	USA
ASN number:	53667
ASN name:	PONYNETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected PureCrypter Trojan	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

8C28000

heap

page read and write

984E000

stack

page read and write

338E000

trusted library allocation

page read and write

7FD5000

heap

page read and write

3476000

trusted library allocation

page read and write

7D90000

trusted library allocation

page read and write

7880000

trusted library allocation

page read and write

338B000

trusted library allocation

page read and write

4D17000

trusted library allocation

page read and write

3278000

trusted library allocation

page read and write

33DA000

trusted library allocation

page read and write

3275000

trusted library allocation

page read and write

342A000

trusted library allocation

page read and write

31FA000

trusted library allocation

page read and write

3594000

trusted library allocation

page read and write

3516000

trusted library allocation

page read and write

1645000

trusted library allocation

page execute and read and write

33DE000

trusted library allocation

page read and write

7D10000

trusted library allocation

page read and write

362C000

trusted library allocation

page read and write

163E000

stack

page read and write

1413000

trusted library allocation

page execute and read and write

3606000

trusted library allocation

page read and write

353F000

trusted library allocation

page read and write

8EED000

stack

page read and write

D02000

unkown

page readonly

7D50000

trusted library allocation

page execute and read and write

33B6000

trusted library allocation

page read and write

1700000

heap

page read and write

1516000

heap

page read and write

78A0000

trusted library allocation

page read and write

8D7A000

heap

page read and write

3270000

trusted library allocation

page read and write

9170000

heap

page read and write

360C000

trusted library allocation

page read and write

353D000

trusted library allocation

page read and write

1857000

heap

page read and write

3590000

trusted library allocation

page read and write

3221000

trusted library allocation

page read and write

34A6000

trusted library allocation

page read and write

7BD0000

trusted library section

page read and write

1432000

trusted library allocation

page read and write

7F08000

heap

page read and write

7D30000

trusted library allocation

page read and write

14B0000

heap

page read and write

329D000

trusted library allocation

page read and write

3432000

trusted library allocation

page read and write

7D20000

trusted library allocation

page read and write

1690000

trusted library allocation

page execute and read and write

1525000

heap

page read and write

4001000

trusted library allocation

page read and write

127E000

stack

page read and write

1414000

trusted library allocation

page read and write

16EE000

stack

page read and write

3541000

trusted library allocation

page read and write

3566000

trusted library allocation

page read and write

1642000

trusted library allocation

page read and write

7FBD000

heap

page read and write

358E000

trusted library allocation

page read and write

9950000

trusted library allocation

page read and write

362E000

trusted library allocation

page read and write

335D000

trusted library allocation

page read and write

16A0000

heap

page read and write

3452000

trusted library allocation

page read and write

8BF0000

trusted library allocation

page execute and read and write

1300000

heap

page read and write

35B6000

trusted library allocation

page read and write

1640000

trusted library allocation

page read and write

180E000

stack

page read and write

333E000

trusted library allocation

page read and write

8BC0000

trusted library allocation

page read and write

3248000

trusted library allocation

page read and write

8280000

trusted library allocation

page execute and read and write

33B2000

trusted library allocation

page read and write

1482000

heap

page read and write

54E0000

trusted library allocation

page read and write

7CDB000

trusted library allocation

page read and write

48FD000

trusted library allocation

page read and write

950C000

stack

page read and write

321A000

trusted library allocation

page read and write

3518000

trusted library allocation

page read and write

7C9E000

trusted library allocation

page read and write

96CC000

stack

page read and write

33D6000

trusted library allocation

page read and write

34F2000

trusted library allocation

page read and write

7F6F0000

trusted library allocation

page execute and read and write

1448000

heap

page read and write

7D80000

trusted library allocation

page read and write

3402000

trusted library allocation

page read and write

342E000

trusted library allocation

page read and write

34F0000

trusted library allocation

page read and write

5723000

trusted library allocation

page read and write

8D74000

heap

page read and write

1670000

heap

page read and write

35DC000

trusted library allocation

page read and write

3298000

trusted library allocation

page read and write

3001000

trusted library allocation

page read and write

8E40000

trusted library allocation

page read and write

33FE000

trusted library allocation

page read and write

8BE0000

trusted library allocation

page execute and read and write

7D70000

trusted library allocation

page read and write

3226000

trusted library allocation

page read and write

3608000

trusted library allocation

page read and write

3360000

trusted library allocation

page read and write

34CA000

trusted library allocation

page read and write

3384000

trusted library allocation

page read and write

56EE000

stack

page read and write

3224000

trusted library allocation

page read and write

1660000

trusted library allocation

page read and write

7D01000

trusted library allocation

page read and write

356C000

trusted library allocation

page read and write

3568000

trusted library allocation

page read and write

994D000

stack

page read and write

324D000

trusted library allocation

page read and write

12BE000

stack

page read and write

8C00000

heap

page read and write

351E000

trusted library allocation

page read and write

8290000

trusted library allocation

page execute and read and write

D00000

unkown

page readonly

1230000

heap

page read and write

3364000

trusted library allocation

page read and write

7CE0000

trusted library allocation

page read and write

35BC000

trusted library allocation

page read and write

34CE000

trusted library allocation

page read and write

3250000

trusted library allocation

page read and write

8E50000

trusted library allocation

page read and write

8EF0000

heap

page read and write

3428000

trusted library allocation

page read and write

557E000

stack

page read and write

3478000

trusted library allocation

page read and write

DEB000

stack

page read and write

3316000

trusted library allocation

page read and write

5010000

trusted library allocation

page execute and read and write

5710000

trusted library allocation

page read and write

8C6A000

heap

page read and write

7EDC000

stack

page read and write

34C8000

trusted library allocation

page read and write

3406000

trusted library allocation

page read and write

3426000

trusted library allocation

page read and write

3564000

trusted library allocation

page read and write

1539000

heap

page read and write

3604000

trusted library allocation

page read and write

184C000

stack

page read and write

35E4000

trusted library allocation

page read and write

55E0000

heap

page read and write

31E8000

trusted library allocation

page read and write

3630000

trusted library allocation

page read and write

519E000

stack

page read and write

5740000

heap

page execute and read and write

1436000

trusted library allocation

page execute and read and write

3454000

trusted library allocation

page read and write

1305000

heap

page read and write

35B8000

trusted library allocation

page read and write

1850000

heap

page read and write

34A2000

trusted library allocation

page read and write

347A000

trusted library allocation

page read and write

164B000

trusted library allocation

page execute and read and write

141D000

trusted library allocation

page execute and read and write

3025000

trusted library allocation

page read and write

1410000

trusted library allocation

page read and write

1707000

heap

page read and write

35DE000

trusted library allocation

page read and write

33D8000

trusted library allocation

page read and write

3456000

trusted library allocation

page read and write

8CFC000

heap

page read and write

3634000

trusted library allocation

page read and write

8BDC000

trusted library allocation

page read and write

33AE000

trusted library allocation

page read and write

8BD0000

trusted library allocation

page read and write

3326000

trusted library allocation

page read and write

332D000

trusted library allocation

page read and write

34EE000

trusted library allocation

page read and write

3362000

trusted library allocation

page read and write

143A000

trusted library allocation

page execute and read and write

16F0000

heap

page execute and read and write

1468000

heap

page read and write

347E000

trusted library allocation

page read and write

980E000

stack

page read and write

56F0000

trusted library allocation

page read and write

351A000

trusted library allocation

page read and write

7DDC000

stack

page read and write

1508000

heap

page read and write

7BCE000

stack

page read and write

144E000

heap

page read and write

34F6000

trusted library allocation

page read and write

34A0000

trusted library allocation

page read and write

33B0000

trusted library allocation

page read and write

1647000

trusted library allocation

page execute and read and write

95CD000

stack

page read and write

1430000

trusted library allocation

page read and write

3544000

trusted library allocation

page read and write

3400000

trusted library allocation

page read and write

134F000

stack

page read and write

5580000

trusted library section

page read and write

D58000

unkown

page readonly

7EF0000

heap

page read and write

1440000

heap

page read and write

4C5F000

trusted library allocation

page read and write

321E000

trusted library allocation

page read and write

7D40000

trusted library allocation

page read and write

1530000

heap

page read and write

329A000

trusted library allocation

page read and write

12F0000

trusted library allocation

page read and write

1486000

heap

page read and write

1150000

heap

page read and write

138E000

stack

page read and write

1420000

trusted library allocation

page read and write

7CF0000

trusted library allocation

page read and write

358C000

trusted library allocation

page read and write

505D000

stack

page read and write

349E000

trusted library allocation

page read and write

35E0000

trusted library allocation

page read and write

8D7F000

heap

page read and write

49BE000

trusted library allocation

page read and write

34C6000

trusted library allocation

page read and write

8C78000

heap

page read and write

82A0000

trusted library allocation

page read and write

970E000

stack

page read and write

7D60000

trusted library allocation

page read and write

10F8000

stack

page read and write

8E3E000

unkown

page read and write

5730000

trusted library allocation

page read and write

35B4000

trusted library allocation

page read and write

5720000

trusted library allocation

page read and write

There are 214 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Qzo7rljbyQ.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQzo7rljbyQ.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Qzo7rljbyQ.exe