Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

ATF-Cleaner.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.723256803059102
Filename:	ATF-Cleaner.exe
Filesize:	50688
MD5:	d9de89f0faf18019bc9595f0f47bca61
SHA1:	7a044dfe1c5e780f3f2b52b3bd066e463a37886e
SHA256:	e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a
SHA512:	236d2908eb66bf50e4645e9f1d1b6bf8f276d7d3648625c84c5fe1fed5c7a8e69383515201a6ba92804f5fa2ee2f63fcb73f32b6932990ab8d43750edcc4768e
SSDEEP:	768:+NhzxwvYERUcNJLLAAYZPTn68f0Ii+i3Fwv04AhDUt6dzvqcOh:4h9wvveMLJwTFi3a048okqcOh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.......................k...............Rich....................PE..L...{Y.E..................... ...0.......@........@........

Signature Hits	Behavior Group	Mitre Attack
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Binary contains paths to development resources	System Summary
Creates mutexes	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP
Category:	dropped
Dump:	~DF46DEC0923004EC71.TMP.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ATF-Cleaner.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	1.5209559012846714
Encrypted:	false
Ssdeep:	48:rCDUbAsRGmEUvnEWZj2WgOv2SNIuR6u9qbe:GDUbbhE1WBfgU6unE
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ATF-Cleaner.exe

"C:\Users\user\Desktop\ATF-Cleaner.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7960
Target ID:	0
Parent PID:	3964
Name:	ATF-Cleaner.exe
Path:	C:\Users\user\Desktop\ATF-Cleaner.exe
Commandline:	"C:\Users\user\Desktop\ATF-Cleaner.exe"
Size:	50688
MD5:	D9DE89F0FAF18019BC9595F0F47BCA61
Time:	00:21:37
Date:	19/04/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	331776
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary

URLs

Name

Malicious

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-

unknown

Details

Name:	https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ATF-Cleaner.exe
Source:	ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

2150000

trusted library allocation

page read and write

770000

heap

page read and write

337F000

stack

page read and write

2B50000

heap

page read and write

97000

stack

page read and write

7ED000

heap

page read and write

44D000

unkown

page execute and read and write

401000

unkown

page execute and read and write

4A9F000

stack

page read and write

7BA000

heap

page read and write

400000

unkown

page readonly

220E000

stack

page read and write

4B20000

trusted library allocation

page read and write

460000

heap

page read and write

44F000

unkown

page read and write

635000

heap

page read and write

2B40000

heap

page read and write

22C0000

trusted library allocation

page read and write

44F000

unkown

page write copy

7B0000

heap

page read and write

226E000

stack

page read and write

449000

unkown

page execute and read and write

22B0000

heap

page read and write

44E000

unkown

page execute and write copy

540000

heap

page read and write

2218000

heap

page read and write

22B9000

heap

page read and write

499E000

stack

page read and write

2B1E000

stack

page read and write

19B000

stack

page read and write

2C50000

trusted library section

page read and write

22B5000

heap

page read and write

2AD0000

heap

page read and write

790000

heap

page read and write

7CF000

heap

page read and write

630000

heap

page read and write

2B44000

heap

page read and write

2290000

trusted library allocation

page read and write

7BE000

heap

page read and write

2210000

heap

page read and write

444000

unkown

page execute and write copy

620000

heap

page read and write

400000

unkown

page readonly

2270000

heap

page read and write

5F0000

trusted library allocation

page execute read

327E000

stack

page read and write

323F000

stack

page read and write

815000

heap

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ATF-Cleaner.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportATF-Cleaner.exe

Files

Processes

URLs

Memdumps

IOC Report
ATF-Cleaner.exe