Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6876
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	229512
MD5:	ABA4DB269A810B878F86FFABB47CA06C
Time:	15:50:54
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	237568
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7096
Target ID:	2
Parent PID:	6876
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	15:50:54
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6900
Target ID:	1
Parent PID:	6876
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:50:54
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 884

Details

Is windows:	true
Is dropped:	false
PID:	5288
Target ID:	5
Parent PID:	6876
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 884
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	15:50:55
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://78.46.229.36/softokn3.dll)%

unknown

https://duckduckgo.com/ac/?q=

unknown

https://78.46.229.36/msvcp140.dll

78.46.229.36

https://steamcommunity.com/?subsection=broadcasts

unknown

https://78.46.229.36/Jl

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=GRA9

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://78.46.229.36/nss3.dllw

unknown

https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli

unknown

https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016exe

unknown

https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE

unknown

https://steamcommunity.com/profiles/76561199658817715/badges

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://78.46.229.36/freebl3.dllf

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://78.46.229.36/mozglue.dll

78.46.229.36

https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&

unknown

https://78.46.229.36/

78.46.229.36

https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=

unknown

https://78.46.229.36DAKFB

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&

unknown

https://78.46.229.36/softokn3.dll

78.46.229.36

http://store.steampowered.com/privacy_agreement/

unknown

https://78.46.229.36/mozglue.dllY%B

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ributabl

unknown

https://store.steampowered.com/points/shop/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://78.46.229.36/freebl3.dll

78.46.229.36

https://78.46.229.36/nss3.dll

78.46.229.36

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK

unknown

https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://78.46.229.36

unknown

https://78.46.229.36/~o

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://78.46.229.36/sqlm.dlls#

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

https://78.46.229.36/vcruntime140.dll

78.46.229.36

https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=yp9unEzrjc_Z&amp

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

https://78.46.229.36/wo

unknown

https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&

unknown

https://steamcommunity.com/$

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://78.46.229.36/fO4

unknown

https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis

unknown

https://78.46.229.36/sqlm.dll

78.46.229.36

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://steamcommunity.com/discussions/

unknown

https://steamcommunity.com/profiles/76561199658817715

104.102.129.112

https://steamcommunity.com/profiles/76561199658817715/inventory/

unknown

https://store.steampowered.com/stats/

unknown

https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okRed

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p

unknown

https://78.46.229.36/softokn3.dll=%

unknown

https://78.46.229.36/B

unknown

https://78.46.229.36/D

unknown

https://steamcommunity.com/workshop/

unknown

https://store.steampowered.com/legal/

unknown

http://www.sqlite.org/copyright.html.

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli

unknown

https://78.46.229.36GIJEH

unknown

https://78.46.229.36h;

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.129.112

Details

Name:	steamcommunity.com
IP:	104.102.129.112
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.102.129.112

steamcommunity.com

United States

Details

IP:	104.102.129.112
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

78.46.229.36

unknown

Germany

Details

IP:	78.46.229.36
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking