Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

820.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.22558066200294
Filename:	820.exe
Filesize:	92160
MD5:	f318a9ad5a22eb8b1a0849d82b171cc6
SHA1:	4206d66d1279f24097aeec8184dc3dd22cc6513a
SHA256:	820b7ea29750ecab25b85ef56f24d42b51b332b404e594ee55cdff2bc63097df
SHA512:	08aabb6469c060403d38bdc389e94d7997f85ca82f007afde7a0322d46b0fe18cb056050a32078855f81536afc6cd944392adadc3d3528debf5b418f4db761b9
SSDEEP:	1536:127gBvJqTAugrnSIa3HPdcbdReUNPkN1POkXoTvBEAlkzm/:wMdjXAHPqTeUOOLEAp/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q%.b...............2.....R......V........0....@........................................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code	Hooking and other Techniques for Hiding and Protection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Process Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Yara signature match	System Summary
Contains functionality to access the windows certificate store	System Summary	Install Root Certificate
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Executes batch files	System Summary	Scripting Install Root Certificate
Found strings which match to known social media urls	Networking	Install Root Certificate
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery

C:\Users\user\AppData\Local\Temp\6575781.bat

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\6575781.bat
Category:	dropped
Dump:	6575781.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\820.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	3.233204299824007
Encrypted:	false
Ssdeep:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
Size:	94
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\820.exe

"C:\Users\user\Desktop\820.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7324
Target ID:	0
Parent PID:	2580
Name:	820.exe
Path:	C:\Users\user\Desktop\820.exe
Commandline:	"C:\Users\user\Desktop\820.exe"
Size:	92160
MD5:	F318A9AD5A22EB8B1A0849D82B171CC6
Time:	02:51:05
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	102400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses 32bit PE files	Compliance, System Summary
Executes batch files	System Summary	Scripting
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "

Details

Is windows:	true
Is dropped:	false
PID:	7420
Target ID:	1
Parent PID:	7324
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	02:51:07
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7428
Target ID:	2
Parent PID:	7420
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:51:07
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://https://ftp://operawand.dat_Software

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

ftp://http://https://ftp.fireFTPsites.datSeaMonkey

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://www.ibsensoftware.com/

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

assuredexpresscourierservice.com

unknown

Details

Name:	assuredexpresscourierservice.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\WinRAR

HWID

Memdumps

Base Address

Regiontype

Protect

Malicious

413000

unkown

page readonly

414000

unkown

page write copy

413000

unkown

page readonly

414000

unkown

page read and write

4AE000

stack

page read and write

23ED000

stack

page read and write

22F0000

trusted library allocation

page read and write

6E3000

heap

page read and write

29CF000

stack

page read and write

2C8E000

stack

page read and write

309C000

stack

page read and write

708000

heap

page read and write

71F000

heap

page read and write

6DE000

heap

page read and write

4E5000

heap

page read and write

6DF000

heap

page read and write

708000

heap

page read and write

2DEE000

stack

page read and write

708000

heap

page read and write

46E000

stack

page read and write

68E000

heap

page read and write

2B4E000

stack

page read and write

97F000

stack

page read and write

6F5000

heap

page read and write

680000

heap

page read and write

2480000

heap

page read and write

A80000

heap

page read and write

28CF000

stack

page read and write

688000

heap

page read and write

6EF000

heap

page read and write

B3C000

stack

page read and write

2B0F000

stack

page read and write

A7F000

stack

page read and write

2D8F000

stack

page read and write

6E3000

heap

page read and write

246E000

stack

page read and write

401000

unkown

page execute read

420000

heap

page read and write

B40000

heap

page read and write

22F0000

trusted library allocation

page read and write

6D6000

heap

page read and write

6DF000

heap

page read and write

2EF0000

heap

page read and write

6E3000

heap

page read and write

2C4F000

stack

page read and write

319C000

stack

page read and write

70D000

heap

page read and write

400000

unkown

page readonly

2A0E000

stack

page read and write

242E000

stack

page read and write

2EEF000

stack

page read and write

4E0000

heap

page read and write

5FE000

stack

page read and write

400000

unkown

page readonly

9B000

stack

page read and write

6E8000

heap

page read and write

1F0000

heap

page read and write

19B000

stack

page read and write

B46000

heap

page read and write

87E000

stack

page read and write

70A000

heap

page read and write

401000

unkown

page execute read

There are 52 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
820

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report820

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
820