Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

bUAB.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.621111951451253
Filename:	bUAB.exe
Filesize:	48640
MD5:	e3a50cd4b0d687de0371979907eecec8
SHA1:	a985891877f61b6b68b9584b3ebedad6941eb7ec
SHA256:	bbfd0355383f8e0df1442c646737854bfccb138b9c89e86c64c3d49d31e5fbf8
SHA512:	273454ea78c38ed570f90a818a471e13cad94849797cf83b3bd7533581d12b381331afbea428ab571f6efeb260c9ce6bcfbfea5b0df24918b8899b11fda76cb3
SSDEEP:	768:l9GmxD6ILNCaS+Di+LFxh635OiY8Ybage19kOId0vEgK/JjZVc6KN:l9GAHW+RxkQzbNMkOQ0nkJjZVclN
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\bUAB.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.99584879649948
Encrypted:	true
Ssdeep:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
Size:	69993
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\bUAB.exe
Type:	data
Entropy:	3.1414940076987787
Encrypted:	false
Ssdeep:	6:kKMs3llDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:j3llMkPlE99SNxAhUeVLVt
Size:	330
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bUAB.exe

"C:\Users\user\Desktop\bUAB.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7532
Target ID:	0
Parent PID:	2580
Name:	bUAB.exe
Path:	C:\Users\user\Desktop\bUAB.exe
Commandline:	"C:\Users\user\Desktop\bUAB.exe"
Size:	48640
MD5:	E3A50CD4B0D687DE0371979907EECEC8
Time:	20:08:55
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3b0000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\bUAB.exe
Source:	bUAB.exe, 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

window10.duckdns.org

172.94.39.213

Details

Name:	window10.duckdns.org
IP:	172.94.39.213
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

bg.microsoft.map.fastly.net

199.232.210.172

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

217.20.63.34

IPs

Domain

Country

Malicious

172.94.39.213

window10.duckdns.org

United States

Details

IP:	172.94.39.213
TargetID:	0
Current Path:	C:\Users\user\Desktop\bUAB.exe
Country:	United States
Countrycode:	USA
ASN number:	9009
ASN name:	M247GB
Private:	false
Domain:	window10.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit

Version

Memdumps

Base Address

Regiontype

Protect

Malicious

26C1000

trusted library allocation

page read and write

3B2000

unkown

page readonly

29C3000

trusted library allocation

page read and write

2743000

trusted library allocation

page read and write

1B3DF000

stack

page read and write

1B072000

heap

page read and write

7FE000

heap

page read and write

272D000

trusted library allocation

page read and write

AF0000

heap

page read and write

B5F000

stack

page read and write

7FFD9B920000

trusted library allocation

page read and write

A50000

heap

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

1AFA0000

heap

page read and write

7FF496680000

trusted library allocation

page execute and read and write

1AFF3000

heap

page read and write

1AFA2000

heap

page read and write

3B0000

unkown

page readonly

1B18A000

heap

page read and write

760000

heap

page read and write

29FB000

trusted library allocation

page read and write

7FFD9B8A0000

trusted library allocation

page execute and read and write

2A00000

trusted library allocation

page read and write

7FFD9B866000

trusted library allocation

page execute and read and write

807000

heap

page read and write

2735000

trusted library allocation

page read and write

3BE000

unkown

page readonly

126C1000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

1B4DF000

stack

page read and write

7C1000

heap

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

7B1000

heap

page read and write

1C11C000

stack

page read and write

2712000

trusted library allocation

page read and write

2716000

trusted library allocation

page read and write

7FFD9B7A0000

trusted library allocation

page read and write

1B079000

heap

page read and write

B10000

heap

page read and write

C5E000

stack

page read and write

2733000

trusted library allocation

page read and write

1B019000

heap

page read and write

2722000

trusted library allocation

page read and write

2A04000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

7FFD9B941000

trusted library allocation

page read and write

AF5000

heap

page read and write

2718000

trusted library allocation

page read and write

750000

heap

page read and write

1AA4F000

heap

page read and write

1B85F000

stack

page read and write

2727000

trusted library allocation

page read and write

29D5000

trusted library allocation

page read and write

1B022000

heap

page read and write

7FFD9B784000

trusted library allocation

page read and write

7FFD9B836000

trusted library allocation

page read and write

1B026000

heap

page read and write

1A6F0000

trusted library allocation

page read and write

25F0000

heap

page execute and read and write

1BB1C000

stack

page read and write

7FB000

heap

page read and write

AE0000

trusted library allocation

page read and write

7FFD9B793000

trusted library allocation

page read and write

1BC1D000

stack

page read and write

1BE1A000

stack

page read and write

273E000

trusted library allocation

page read and write

B03000

trusted library allocation

page read and write

7FFD9B790000

trusted library allocation

page read and write

1BA1C000

stack

page read and write

29B5000

trusted library allocation

page read and write

29E9000

trusted library allocation

page read and write

29B2000

trusted library allocation

page read and write

1AC5C000

stack

page read and write

2739000

trusted library allocation

page read and write

714000

stack

page read and write

1B01C000

heap

page read and write

29F7000

trusted library allocation

page read and write

1B81E000

stack

page read and write

7FFD9B783000

trusted library allocation

page execute and read and write

1BF1D000

stack

page read and write

1B024000

heap

page read and write

7FFD9B830000

trusted library allocation

page read and write

2724000

trusted library allocation

page read and write

78C000

heap

page read and write

1B245000

heap

page read and write

272B000

trusted library allocation

page read and write

1B013000

heap

page read and write

1B5DE000

stack

page read and write

780000

heap

page read and write

B15000

heap

page read and write

1B0E0000

heap

page read and write

786000

heap

page read and write

1BD1A000

stack

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

273B000

trusted library allocation

page read and write

7C4000

heap

page read and write

7FFD9B930000

trusted library allocation

page execute and read and write

29BB000

trusted library allocation

page read and write

7FFD9B840000

trusted library allocation

page execute and read and write

1AFA6000

heap

page read and write

B00000

trusted library allocation

page read and write

1AFEA000

heap

page read and write

7AC000

heap

page read and write

7ED000

heap

page read and write

1B0D0000

heap

page execute and read and write

271A000

trusted library allocation

page read and write

1B19F000

heap

page read and write

29B8000

trusted library allocation

page read and write

7FFD9B83C000

trusted library allocation

page execute and read and write

7F7000

heap

page read and write

A4D000

stack

page read and write

25BE000

stack

page read and write

7FFD9B7DC000

trusted library allocation

page execute and read and write

1B06F000

heap

page read and write

1B183000

heap

page read and write

26B0000

heap

page read and write

3B0000

unkown

page readonly

AC0000

trusted library allocation

page read and write

7FFD9B7AB000

trusted library allocation

page execute and read and write

7B5000

heap

page read and write

29E2000

trusted library allocation

page read and write

1B094000

heap

page read and write

A70000

heap

page read and write

126CF000

trusted library allocation

page read and write

There are 114 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bUAB.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportbUAB.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
bUAB.exe