Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2016
Target ID:	1
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	229512
MD5:	78F23006210BDA6B5E26B8CBEFA9758A
Time:	20:34:48
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	237568
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6212
Target ID:	3
Parent PID:	2016
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	20:34:49
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd0000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5832
Target ID:	4
Parent PID:	2016
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	20:34:49
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xde0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6060
Target ID:	2
Parent PID:	2016
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	20:34:48
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848

Details

Is windows:	true
Is dropped:	false
PID:	7160
Target ID:	8
Parent PID:	2016
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 848
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	20:34:50
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xba0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://78.46.229.36/msvcp140.dll

78.46.229.36

https://steamcommunity.com/?subsection=broadcasts

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=GRA9

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://78.46.229.36/Bi

unknown

https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli

unknown

https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&

unknown

https://78.46.229.36/msvcp140.dllh

unknown

https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE

unknown

https://steamcommunity.com/profiles/76561199658817715/badges

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://78.46.229.36/mozglue.dllZ

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://78.46.229.36/mozglue.dll

78.46.229.36

https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&

unknown

https://78.46.229.36/

78.46.229.36

https://78.46.229.36/sqlm.dllf

unknown

https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&

unknown

https://78.46.229.36/softokn3.dll

78.46.229.36

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://78.46.229.36/freebl3.dll

78.46.229.36

https://78.46.229.36/ramData

unknown

https://78.46.229.36/nss3.dll

78.46.229.36

https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK

unknown

https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://78.46.229.36

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://78.46.229.36/s

unknown

https://78.46.229.36/softokn3.dllr

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://78.46.229.36/vcruntime140.dll

78.46.229.36

https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=yp9unEzrjc_Z&amp

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis

unknown

https://78.46.229.36/sqlm.dll

78.46.229.36

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://78.46.229.36/f

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://steamcommunity.com/discussions/

unknown

https://steamcommunity.com/profiles/76561199658817715

104.105.90.131

https://78.46.229.36DBKJJ

unknown

https://steamcommunity.com/profiles/76561199658817715/inventory/

unknown

https://store.steampowered.com/stats/

unknown

https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okRed

unknown

https://78.46.229.36/6

unknown

https://steamcommunity.com/profiles/76561199658817715t

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://78.46.229.36/te5

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p

unknown

https://78.46.229.36/0

unknown

https://78.46.229.36/D

unknown

https://78.46.229.36/F

unknown

https://steamcommunity.com/workshop/

unknown

https://store.steampowered.com/legal/

unknown

http://www.sqlite.org/copyright.html.

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli

unknown

http://upx.sf.net

unknown

https://78.46.229.36/$

unknown

https://store.steampowered.com/

unknown

https://78.46.229.36/freebl3.dll6

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://78.46.229.36/Z0t

unknown

https://78.46.229.36HJEBK

unknown

https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://t.me/sa9ok

unknown

https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHl

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.105.90.131

Details

Name:	steamcommunity.com
IP:	104.105.90.131
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

78.46.229.36

unknown

Germany

Details

IP:	78.46.229.36
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.105.90.131

steamcommunity.com

United States

Details

IP:	104.105.90.131
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking