Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bUBL.exe

"C:\Users\user\Desktop\bUBL.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7300
Target ID:	0
Parent PID:	2580
Name:	bUBL.exe
Path:	C:\Users\user\Desktop\bUBL.exe
Commandline:	"C:\Users\user\Desktop\bUBL.exe"
Size:	32768
MD5:	C0BF09B4829BEF52BAC3D6FC6758CCD9
Time:	04:08:55
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc80000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

rusia.duckdns.org

Details

Name:	rusia.duckdns.org
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\bUBL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Domains

Name

Malicious

rusia.duckdns.org

46.246.14.17

Details

Name:	rusia.duckdns.org
IP:	46.246.14.17
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

46.246.14.17

rusia.duckdns.org

Sweden

Details

IP:	46.246.14.17
TargetID:	0
Current Path:	C:\Users\user\Desktop\bUBL.exe
Country:	Sweden
Countrycode:	SWE
ASN number:	42708
ASN name:	PORTLANEwwwportlanecomSE
Private:	false
Domain:	rusia.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\SOFTWARE\f2887c56e8ee

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

C82000

unkown

page readonly

142E000

heap

page read and write

1830000

trusted library allocation

page execute and read and write

3364000

trusted library allocation

page read and write

1716000

heap

page read and write

33BA000

trusted library allocation

page read and write

1A00000

heap

page read and write

5BD0000

heap

page read and write

1428000

heap

page read and write

10F9000

stack

page read and write

5BB0000

heap

page read and write

1272000

trusted library allocation

page execute and read and write

57DE000

stack

page read and write

54EC000

stack

page read and write

1820000

trusted library allocation

page read and write

33DA000

trusted library allocation

page read and write

145E000

heap

page read and write

3361000

trusted library allocation

page read and write

33CC000

trusted library allocation

page read and write

181F000

stack

page read and write

129A000

trusted library allocation

page execute and read and write

128A000

trusted library allocation

page execute and read and write

14D5000

heap

page read and write

1840000

heap

page execute and read and write

120E000

stack

page read and write

1628000

trusted library allocation

page read and write

1710000

heap

page read and write

1287000

trusted library allocation

page execute and read and write

5BA0000

heap

page read and write

1270000

trusted library allocation

page read and write

3402000

trusted library allocation

page read and write

16FC000

stack

page read and write

14C5000

heap

page read and write

5A30000

trusted library allocation

page execute and read and write

569E000

stack

page read and write

33D4000

trusted library allocation

page read and write

4361000

trusted library allocation

page read and write

1240000

trusted library allocation

page read and write

3396000

trusted library allocation

page read and write

1250000

heap

page read and write

126A000

trusted library allocation

page execute and read and write

1262000

trusted library allocation

page execute and read and write

12A0000

trusted library allocation

page read and write

55A8000

stack

page read and write

55B3000

heap

page read and write

579E000

stack

page read and write

12AB000

trusted library allocation

page execute and read and write

12F5000

heap

page read and write

10F6000

stack

page read and write

12A7000

trusted library allocation

page execute and read and write

D70000

heap

page read and write

1292000

trusted library allocation

page execute and read and write

545D000

stack

page read and write

13FE000

stack

page read and write

33C9000

trusted library allocation

page read and write

C88000

unkown

page readonly

1420000

heap

page read and write

DCE000

stack

page read and write

58DF000

stack

page read and write

12A2000

trusted library allocation

page read and write

12EE000

stack

page read and write

1210000

heap

page read and write

7F030000

trusted library allocation

page execute and read and write

19F0000

trusted library allocation

page read and write

1280000

trusted library allocation

page read and write

D1A000

stack

page read and write

33E4000

trusted library allocation

page read and write

33D0000

trusted library allocation

page read and write

33C0000

trusted library allocation

page read and write

127A000

trusted library allocation

page execute and read and write

556C000

stack

page read and write

552B000

stack

page read and write

5630000

trusted library allocation

page execute and read and write

161E000

stack

page read and write

55C0000

trusted library allocation

page read and write

12F0000

heap

page read and write

D80000

heap

page read and write

C80000

unkown

page readonly

55B0000

heap

page read and write

5640000

unclassified section

page read and write

There are 70 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bUBL.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportbUBL.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
bUBL.exe