Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.610388728923203
Filename:	file.exe
Filesize:	281600
MD5:	0abcf5f274cf19c6f9c75954e9b6a182
SHA1:	e39e1cecaffce08ffd9388ded9e13132e1eb6d51
SHA256:	54267849112931dc771eac100a8e3302f224f5071cc6211723e5acf89bf69156
SHA512:	c61dc07371b03d9a959ff7caac8265eea345fa78e4939d0a4d9491ef879287046ec6e0847b4067c3043fb97f4c1f94c2ac0f5bbc9ba18716ef6e02a4268f02fd
SSDEEP:	6144:dh0ZpFC4sffny7TuLBdZlT4DIJYdy3F8ioyrN:dh0ZpFCfB3TGyYy3uiBZ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`...`...`.....c.x.....V.p.....b._...i.K.e...i.[.t.......c...`.........g.p.....U.a...Rich`...................PE..L....Y@g...

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Searches for specific processes (likely to inject)	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal Bitcoin Wallet information	Stealing of Sensitive Information
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Windows Management Instrumentation Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to detect sandboxes (mouse cursor move detection)	Malware Analysis System Evasion	Account Discovery System Owner/User Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Uses 32bit PE files	Compliance, System Summary	Create Account Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)	Malware Analysis System Evasion	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to create a new desktop	Protection of GUI	Create Account
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Create Account
Reads ini files	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\delays.tmp

ISO-8859 text, with very long lines (65536), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\delays.tmp
Category:	dropped
Dump:	delays.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:8aaRaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaG:LaJ
Size:	1048575
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6544
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	281600
MD5:	0ABCF5F274CF19C6F9C75954E9B6A182
Time:	04:58:54
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	2461696
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit

Details

Is windows:	true
Is dropped:	false
PID:	2824
Target ID:	4
Parent PID:	6544
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	04:59:49
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2888
Target ID:	5
Parent PID:	2824
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:59:49
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Details

Is windows:	true
Is dropped:	false
PID:	6120
Target ID:	6
Parent PID:	2824
Name:	timeout.exe
Path:	C:\Windows\SysWOW64\timeout.exe
Commandline:	timeout /t 10
Size:	25088
MD5:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Time:	04:59:49
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe50000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://b2een.xyz/sqlite3.dll

49.13.32.95

https://b2een.xyz/

49.13.32.95

https://t.me/

unknown

https://web.telegram.org

unknown

https://t.me/fu4chmof

unknown

https://t.me/fu4chmor08etMozilla/5.0

unknown

https://steamcommunity.com/profiles/76561199802540894

https://b2een.xyzHJJJJKEG

unknown

https://t.me/O

unknown

https://steamcommunity.com/profiles/76561199802540894r08etMozilla/5.0

unknown

https://b2een.xyz/bi

unknown

https://t.me/fu4chmo338

unknown

https://b2een.xyztosh;

unknown

https://b2een.xyz

unknown

https://t.me/fu4chmo

149.154.167.99

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

b2een.xyz

49.13.32.95

Details

Name:	b2een.xyz
IP:	49.13.32.95
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Performs DNS queries to domains with low reputation	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

49.13.32.95

b2een.xyz

Germany

Details

IP:	49.13.32.95
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	b2een.xyz

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF

Memdumps

Base Address

Regiontype

Protect

Malicious

D81000

unkown

page readonly

DF8000

unkown

page read and write

D81000

unkown

page readonly

D50000

unkown

page readonly

FA3000

unkown

page readonly

C5E000

stack

page read and write

12DCF000

stack

page read and write

365B000

heap

page read and write

7DE000

stack

page read and write

A4CE000

stack

page read and write

DF2000

unkown

page read and write

3595000

heap

page read and write

210A8000

heap

page read and write

D51000

unkown

page execute and write copy

35E1000

heap

page read and write

D8E000

unkown

page write copy

35EB000

heap

page read and write

1C3A0000

remote allocation

page read and write

211C0000

heap

page read and write

3618000

heap

page read and write

35DA000

heap

page read and write

3590000

heap

page read and write

34E2000

stack

page read and write

DB4000

unkown

page read and write

660000

heap

page read and write

35D7000

heap

page read and write

210B8000

heap

page read and write

7F8E000

stack

page read and write

D1E000

stack

page read and write

E36000

unkown

page read and write

35F7000

heap

page read and write

178CE000

stack

page read and write

19E4B000

stack

page read and write

3606000

heap

page read and write

211CA000

heap

page read and write

FA3000

unkown

page readonly

35FE000

heap

page read and write

2148B000

stack

page read and write

F91000

unkown

page read and write

3607000

heap

page read and write

35CF000

heap

page read and write

4420000

heap

page read and write

1C3A0000

remote allocation

page read and write

19E0C000

stack

page read and write

3618000

heap

page read and write

680000

heap

page read and write

3605000

heap

page read and write

EEA000

unkown

page read and write

1E930000

heap

page read and write

35CD000

heap

page read and write

34DE000

stack

page read and write

210A5000

heap

page read and write

21040000

trusted library allocation

page read and write

7AE000

stack

page read and write

670000

heap

page read and write

35DA000

heap

page read and write

36B0000

heap

page read and write

235C0000

heap

page read and write

3609000

heap

page read and write

3AC000

stack

page read and write

1E98B000

stack

page read and write

34DC000

stack

page read and write

3605000

heap

page read and write

3605000

heap

page read and write

917000

heap

page read and write

3EC000

stack

page read and write

C9E000

stack

page read and write

8CF000

stack

page read and write

1788D000

stack

page read and write

35D6000

heap

page read and write

35D8000

heap

page read and write

35D6000

heap

page read and write

35D8000

heap

page read and write

1C3A0000

remote allocation

page read and write

21140000

trusted library allocation

page read and write

685000

heap

page read and write

1C3DE000

stack

page read and write

20F41000

heap

page read and write

88E000

stack

page read and write

DDD000

unkown

page read and write

20F30000

heap

page read and write

20F41000

heap

page read and write

880000

heap

page read and write

21751000

heap

page read and write

357E000

heap

page read and write

D50000

unkown

page readonly

3615000

heap

page read and write

35D0000

heap

page read and write

35DA000

heap

page read and write

3614000

heap

page read and write

35D6000

heap

page read and write

DEF000

unkown

page read and write

7C0000

heap

page read and write

3603000

heap

page read and write

88B000

heap

page read and write

E34F000

stack

page read and write

CDE000

stack

page read and write

35DA000

heap

page read and write

88E000

heap

page read and write

3605000

heap

page read and write

21040000

heap

page read and write

3666000

heap

page read and write

3595000

heap

page read and write

2BA5C000

stack

page read and write

35DA000

heap

page read and write

35FE000

heap

page read and write

883000

heap

page read and write

35D6000

heap

page read and write

D8E000

unkown

page write copy

3618000

heap

page read and write

1088F000

stack

page read and write

35DA000

heap

page read and write

3614000

heap

page read and write

80E000

stack

page read and write

3602000

heap

page read and write

687000

heap

page read and write

687000

heap

page read and write

3589000

heap

page read and write

35DA000

heap

page read and write

35D8000

heap

page read and write

810000

heap

page read and write

3602000

heap

page read and write

63C000

stack

page read and write

1534E000

stack

page read and write

35FF000

heap

page read and write

76E000

stack

page read and write

3564000

heap

page read and write

35DA000

heap

page read and write

369C000

heap

page read and write

650000

heap

page read and write

351E000

heap

page read and write

20ECA000

stack

page read and write

351A000

heap

page read and write

35FE000

heap

page read and write

3605000

heap

page read and write

20F40000

heap

page read and write

910000

heap

page read and write

3610000

heap

page read and write

3603000

heap

page read and write

35FE000

heap

page read and write

3608000

heap

page read and write

34EC000

stack

page read and write

35FA000

heap

page read and write

7B0000

heap

page read and write

358C000

heap

page read and write

3605000

heap

page read and write

35CF000

heap

page read and write

3618000

heap

page read and write

79E000

stack

page read and write

3605000

heap

page read and write

3614000

heap

page read and write

84E000

stack

page read and write

3510000

heap

page read and write

1C38C000

stack

page read and write

35DA000

heap

page read and write

3590000

heap

page read and write

3605000

heap

page read and write

1E91F000

stack

page read and write

1530F000

stack

page read and write

360A000

heap

page read and write

D51000

unkown

page execute and write copy

35F2000

heap

page read and write

36D8000

heap

page read and write

3610000

heap

page read and write

There are 154 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe