Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\injector V2.4.exe

"C:\Users\user\Desktop\injector V2.4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7436
Target ID:	0
Parent PID:	2580
Name:	injector V2.4.exe
Path:	C:\Users\user\Desktop\injector V2.4.exe
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Size:	495616
MD5:	AD5BF840B79922950CBCD853A3E56134
Time:	08:14:28
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	520192
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\Desktop\injector V2.4.exe

"C:\Users\user\Desktop\injector V2.4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7496
Target ID:	2
Parent PID:	7436
Name:	injector V2.4.exe
Path:	C:\Users\user\Desktop\injector V2.4.exe
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Size:	495616
MD5:	AD5BF840B79922950CBCD853A3E56134
Time:	08:14:29
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	520192
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7444
Target ID:	1
Parent PID:	7436
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:14:28
Date:	23/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://farewellnzu.icu/api

104.21.44.93

Details

Name:	https://farewellnzu.icu/api
IP:	104.21.44.93
TargetID:	2
From Memory:	false
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

farewellnzu.icu

Details

Name:	farewellnzu.icu
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

https://farewellnzu.icu/apis

unknown

Details

Name:	https://farewellnzu.icu/apis
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://farewellnzu.icu/

unknown

Details

Name:	https://farewellnzu.icu/
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://farewellnzu.icu/apiw

unknown

Details

Name:	https://farewellnzu.icu/apiw
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://farewellnzu.icu/sion

unknown

Details

Name:	https://farewellnzu.icu/sion
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Source:	injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

farewellnzu.icu

104.21.44.93

Details

Name:	farewellnzu.icu
IP:	104.21.44.93
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.21.44.93

farewellnzu.icu

United States

Details

IP:	104.21.44.93
TargetID:	2
Current Path:	C:\Users\user\Desktop\injector V2.4.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	farewellnzu.icu

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

71E000

heap

page read and write

C11000

unkown

page write copy

C0F000

unkown

page readonly

4D9D000

stack

page read and write

32DC000

heap

page read and write

570000

heap

page read and write

56DF000

stack

page read and write

C11000

unkown

page write copy

31B0000

heap

page read and write

A0F000

stack

page read and write

32C0000

heap

page read and write

32B0000

remote allocation

page read and write

C0B000

unkown

page write copy

5830000

heap

page read and write

BE1000

unkown

page execute read

C0B000

unkown

page write copy

BE0000

unkown

page readonly

34BE000

stack

page read and write

598F000

stack

page read and write

330B000

heap

page read and write

C03000

unkown

page readonly

43C000

stack

page read and write

30FB000

stack

page read and write

571E000

stack

page read and write

32C8000

heap

page read and write

330E000

heap

page read and write

BE0000

unkown

page readonly

C11000

unkown

page write copy

32DC000

heap

page read and write

4DD0000

heap

page read and write

2DE0000

heap

page read and write

53D000

stack

page read and write

313E000

stack

page read and write

BE1000

unkown

page execute read

535E000

stack

page read and write

3315000

heap

page read and write

3315000

heap

page read and write

BE0000

unkown

page readonly

BDD000

stack

page read and write

32B0000

remote allocation

page read and write

32D8000

heap

page read and write

C03000

unkown

page readonly

580000

heap

page read and write

3363000

heap

page read and write

549E000

stack

page read and write

32B0000

remote allocation

page read and write

31AE000

stack

page read and write

531D000

stack

page read and write

C0B000

unkown

page execute and read and write

BE0000

unkown

page readonly

545F000

stack

page read and write

335A000

heap

page read and write

336E000

heap

page read and write

31B5000

heap

page read and write

521D000

stack

page read and write

581E000

stack

page read and write

70E000

stack

page read and write

3309000

heap

page read and write

90F000

stack

page read and write

436D000

stack

page read and write

C03000

unkown

page readonly

3150000

heap

page read and write

71A000

heap

page read and write

C0B000

unkown

page write copy

35BE000

stack

page read and write

588E000

stack

page read and write

C03000

unkown

page readonly

BE1000

unkown

page execute read

C0C000

unkown

page read and write

2D3B000

stack

page read and write

3309000

heap

page read and write

C11000

unkown

page write copy

5CE000

stack

page read and write

3315000

heap

page read and write

55DE000

stack

page read and write

C0F000

unkown

page readonly

5F0000

heap

page read and write

559F000

stack

page read and write

2D90000

heap

page read and write

710000

heap

page read and write

44D0000

heap

page read and write

BE1000

unkown

page execute read

3375000

heap

page read and write

2DDE000

stack

page read and write

3362000

heap

page read and write

C0F000

unkown

page readonly

3371000

heap

page read and write

457000

remote allocation

page execute and read and write

C0F000

unkown

page readonly

There are 80 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
injector V2.4.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportinjector V2.4.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
injector V2.4.exe