Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7472
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	244360
MD5:	0CE3DC374E49433D7E15D02C015E0EE3
Time:	12:07:49
Date:	29/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	253952
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7544
Target ID:	2
Parent PID:	7472
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	12:07:50
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7564
Target ID:	3
Parent PID:	7472
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	12:07:50
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf50000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7480
Target ID:	1
Parent PID:	7472
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:07:49
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932

Details

Is windows:	true
Is dropped:	false
PID:	7668
Target ID:	6
Parent PID:	7472
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	12:07:50
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x390000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://78.46.229.36/msvcp140.dll

78.46.229.36

https://78.46.229.36/mozglue.dll

78.46.229.36

https://78.46.229.36/

78.46.229.36

https://78.46.229.36/softokn3.dll

78.46.229.36

https://78.46.229.36/freebl3.dll

78.46.229.36

https://78.46.229.36/nss3.dll

78.46.229.36

https://78.46.229.36/vcruntime140.dll

78.46.229.36

https://78.46.229.36/sqlm.dll

78.46.229.36

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=swtsTjCD0CFZ&amp

unknown

https://78.46.229.36/Hos

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://78.46.229.36/~&

unknown

https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli

unknown

https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&

unknown

https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE

unknown

https://steamcommunity.com/profiles/76561199658817715/badges

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://78.46.229.36/U&

unknown

https://78.46.229.36/msvcp140.dllxE

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=kMVE

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&

unknown

https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&

unknown

https://steamcommunity.com/g

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://78.46.229.36/ramData

unknown

https://steamcommunity.com/profiles/76561199658817715c

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK

unknown

https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp

unknown

https://www.ecosia.org/newtab/

unknown

https://78.46.229.36/mozglue.dll2E

unknown

https://78.46.229.36/p&

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://78.46.229.36HIJKF

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://78.46.229.36

unknown

https://78.46.229.36/msvcp140.dllnE

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://78.46.229.36/nes

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://78.46.229.36/softokn3.dllBE

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&

unknown

https://help.steampowered.com/en/

unknown

https://78.46.229.36IDGIE

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis

unknown

https://78.46.229.36/d

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://78.46.229.36/g

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://steamcommunity.com/discussions/

unknown

https://steamcommunity.com/profiles/76561199658817715

104.112.44.153

https://78.46.229.36/2

unknown

https://steamcommunity.com/profiles/76561199658817715/inventory/

unknown

https://store.steampowered.com/stats/

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p

unknown

https://78.46.229.36/B

unknown

https://78.46.229.36/D

unknown

https://steamcommunity.com/workshop/

unknown

https://store.steampowered.com/legal/

unknown

https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okCristina

unknown

http://www.sqlite.org/copyright.html.

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=

unknown

https://78.46.229.36JEBKE

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli

unknown

http://upx.sf.net

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.112.44.153

Details

Name:	steamcommunity.com
IP:	104.112.44.153
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

78.46.229.36

unknown

Germany

Details

IP:	78.46.229.36
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.112.44.153

steamcommunity.com

United States

Details

IP:	104.112.44.153
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking