Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xLauncher.exe

"C:\Users\user\Desktop\xLauncher.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5824
Target ID:	0
Parent PID:	1028
Name:	xLauncher.exe
Path:	C:\Users\user\Desktop\xLauncher.exe
Commandline:	"C:\Users\user\Desktop\xLauncher.exe"
Size:	493568
MD5:	CEACA4A19229C3283007E714466F51F8
Time:	08:27:43
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\Desktop\xLauncher.exe

"C:\Users\user\Desktop\xLauncher.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5660
Target ID:	3
Parent PID:	5824
Name:	xLauncher.exe
Path:	C:\Users\user\Desktop\xLauncher.exe
Commandline:	"C:\Users\user\Desktop\xLauncher.exe"
Size:	493568
MD5:	CEACA4A19229C3283007E714466F51F8
Time:	08:27:44
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3140
Target ID:	1
Parent PID:	5824
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:27:44
Date:	23/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

fumblingactor.cyou

Details

Name:	fumblingactor.cyou
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

https://frogs-severz.sbs/api

172.67.155.47

Details

Name:	https://frogs-severz.sbs/api
IP:	172.67.155.47
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://frogs-severz.sbs/apil

unknown

https://frogs-severz.sbs:443/apibcryptPrimitives.dll

unknown

Details

Name:	https://frogs-severz.sbs:443/apibcryptPrimitives.dll
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Source:	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://frogs-severz.sbs/

unknown

https://frogs-severz.sbs/api6C

unknown

http://crl.microx

unknown

https://fumblingactor.cyou:443/apiS

unknown

Details

Name:	https://fumblingactor.cyou:443/apiS
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Source:	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://frogs-severz.sbs:443/api

unknown

Details

Name:	https://frogs-severz.sbs:443/api
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Source:	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

fumblingactor.cyou

unknown

Details

Name:	fumblingactor.cyou
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

frogs-severz.sbs

172.67.155.47

Details

Name:	frogs-severz.sbs
IP:	172.67.155.47
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.155.47

frogs-severz.sbs

United States

Details

IP:	172.67.155.47
TargetID:	3
Current Path:	C:\Users\user\Desktop\xLauncher.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	frogs-severz.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

2A82000

heap

page read and write

2A7B000

heap

page read and write

4A0E000

stack

page read and write

2EC0000

heap

page read and write

5FB000

unkown

page execute and read and write

29DB000

stack

page read and write

2D53000

heap

page read and write

5FF000

unkown

page readonly

520F000

stack

page read and write

458F000

stack

page read and write

2D4E000

heap

page read and write

601000

unkown

page write copy

2D80000

heap

page read and write

456000

remote allocation

page execute and read and write

2CFB000

stack

page read and write

5FF000

unkown

page readonly

2DD6000

heap

page read and write

5D0000

unkown

page readonly

5FB000

unkown

page write copy

2E30000

heap

page read and write

5FB000

unkown

page write copy

2D3A000

heap

page read and write

2DE9000

heap

page read and write

535E000

stack

page read and write

26F0000

heap

page read and write

2FDE000

stack

page read and write

5F3000

unkown

page readonly

5D1000

unkown

page execute read

2FE0000

heap

page read and write

601000

unkown

page write copy

2D8E000

heap

page read and write

2EAE000

stack

page read and write

5F3000

unkown

page readonly

510E000

stack

page read and write

2D30000

heap

page read and write

2DE4000

heap

page read and write

2DD9000

heap

page read and write

2D80000

heap

page read and write

55C0000

heap

page read and write

2D8E000

heap

page read and write

5FF000

unkown

page readonly

5530000

trusted library allocation

page read and write

4FCE000

stack

page read and write

50CE000

stack

page read and write

2DDF000

heap

page read and write

5D0000

unkown

page readonly

444D000

stack

page read and write

5FB000

unkown

page write copy

26B0000

heap

page read and write

2D80000

heap

page read and write

2DE4000

heap

page read and write

5D1000

unkown

page execute read

5210000

remote allocation

page read and write

2D77000

heap

page read and write

4E4D000

stack

page read and write

5FF000

unkown

page readonly

2DE4000

heap

page read and write

2A70000

heap

page read and write

2DF0000

heap

page read and write

5CC000

stack

page read and write

2D80000

heap

page read and write

54CF000

stack

page read and write

525D000

stack

page read and write

5F3000

unkown

page readonly

2D76000

heap

page read and write

5210000

remote allocation

page read and write

5FC000

unkown

page read and write

601000

unkown

page write copy

2DE2000

heap

page read and write

552E000

stack

page read and write

2D53000

heap

page read and write

2DDF000

heap

page read and write

2DE2000

heap

page read and write

2DDF000

heap

page read and write

3066000

heap

page read and write

5D0000

unkown

page readonly

5F3000

unkown

page readonly

303D000

stack

page read and write

5D1000

unkown

page execute read

2D64000

heap

page read and write

490E000

stack

page read and write

2D65000

heap

page read and write

2D8E000

heap

page read and write

448E000

stack

page read and write

4E8D000

stack

page read and write

2EC5000

heap

page read and write

2A3D000

stack

page read and write

53CE000

stack

page read and write

56CF000

stack

page read and write

4CC000

stack

page read and write

4F8D000

stack

page read and write

2D8E000

heap

page read and write

2DE2000

heap

page read and write

2E40000

heap

page read and write

26A0000

heap

page read and write

601000

unkown

page write copy

3060000

heap

page read and write

2D30000

heap

page read and write

5210000

remote allocation

page read and write

5D1000

unkown

page execute read

5D0000

unkown

page readonly

There are 92 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xLauncher.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxLauncher.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
xLauncher.exe