Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe

"C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe"

Details

Is windows:	false
Is dropped:	false
PID:	5572
Target ID:	0
Parent PID:	1028
Name:	PROFOMA INVOICE-2024-0419 .exe
Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Commandline:	"C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe"
Size:	3473984
MD5:	E67096A9183B74FBE73AC6CA18D56399
Time:	18:13:55
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5e0000
Modulesize:	884736
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Costura Assembly Loader	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://github.com/mgravell/protobuf-net

unknown

Details

Name:	https://github.com/mgravell/protobuf-net
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://github.com/mgravell/protobuf-neti

unknown

Details

Name:	https://github.com/mgravell/protobuf-neti
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/14436606/23354

unknown

Details

Name:	https://stackoverflow.com/q/14436606/23354
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://github.com/mgravell/protobuf-netJ

unknown

Details

Name:	https://github.com/mgravell/protobuf-netJ
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/11564914/23354;

unknown

Details

Name:	https://stackoverflow.com/q/11564914/23354;
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270275022.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/2152978/23354

unknown

Details

Name:	https://stackoverflow.com/q/2152978/23354
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Source:	PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013504000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3271394645.0000000013248000.00000004.00000800.00020000.00000000.sdmp, PROFOMA INVOICE-2024-0419 .exe, 00000000.00000002.3270171709.00000000028C0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

pukrilug.duckdns.org

150.114.84.125

Details

Name:	pukrilug.duckdns.org
IP:	150.114.84.125
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

150.114.84.125

pukrilug.duckdns.org

United States

Details

IP:	150.114.84.125
TargetID:	0
Current Path:	C:\Users\user\Desktop\PROFOMA INVOICE-2024-0419 .exe
Country:	United States
Countrycode:	USA
ASN number:	2516
ASN name:	KDDIKDDICORPORATIONJP
Private:	false
Domain:	pukrilug.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

1B440000

trusted library section

page read and write

12B71000

trusted library allocation

page read and write

2B71000

trusted library allocation

page read and write

1B330000

trusted library section

page read and write

13248000

trusted library allocation

page read and write

2B60000

heap

page execute and read and write

7FF84906A000

trusted library allocation

page read and write

AF8000

heap

page read and write

2F2F000

trusted library allocation

page read and write

2F79000

trusted library allocation

page read and write

1B7F9000

heap

page read and write

7FF848E24000

trusted library allocation

page read and write

7FF848E5C000

trusted library allocation

page execute and read and write

7FF848FC0000

trusted library allocation

page read and write

2790000

trusted library allocation

page read and write

7FF848E00000

trusted library allocation

page read and write

3017000

trusted library allocation

page read and write

1B9A0000

heap

page read and write

2F44000

trusted library allocation

page read and write

AA5000

heap

page read and write

7FF848FD0000

trusted library allocation

page execute and read and write

2F66000

trusted library allocation

page read and write

1B7DF000

stack

page read and write

AAD000

heap

page read and write

7FF849050000

trusted library allocation

page read and write

7FF4122A0000

trusted library allocation

page execute and read and write

5E0000

unkown

page readonly

7FF848EB6000

trusted library allocation

page read and write

1B6DF000

stack

page read and write

AF0000

heap

page read and write

2F6A000

trusted library allocation

page read and write

AC1000

heap

page read and write

D50000

heap

page read and write

1B7E0000

heap

page read and write

7FF849030000

trusted library allocation

page read and write

D85000

heap

page read and write

7FF84902E000

trusted library allocation

page read and write

7FF848FB0000

trusted library allocation

page read and write

6B4000

unkown

page readonly

28A3000

trusted library allocation

page read and write

7FF84900D000

trusted library allocation

page read and write

7FF848FE4000

trusted library allocation

page read and write

13504000

trusted library allocation

page read and write

DE0000

heap

page read and write

7FF848E04000

trusted library allocation

page read and write

7FF848E2B000

trusted library allocation

page execute and read and write

2F31000

trusted library allocation

page read and write

A8C000

heap

page read and write

2F75000

trusted library allocation

page read and write

7FF848FA0000

trusted library allocation

page read and write

7FF849020000

trusted library allocation

page read and write

5E2000

unkown

page readonly

7FF848E20000

trusted library allocation

page read and write

7FF848EE6000

trusted library allocation

page execute and read and write

2F40000

trusted library allocation

page read and write

2F46000

trusted library allocation

page read and write

289E000

stack

page read and write

DE5000

heap

page read and write

D90000

heap

page read and write

2F64000

trusted library allocation

page read and write

7FF849060000

trusted library allocation

page read and write

1B7FB000

heap

page read and write

A50000

heap

page read and write

1AFEC000

stack

page read and write

A80000

heap

page read and write

2F53000

trusted library allocation

page read and write

7E1000

stack

page read and write

7FF848E12000

trusted library allocation

page read and write

7FF848E1D000

trusted library allocation

page execute and read and write

2F84000

trusted library allocation

page read and write

7FF849000000

trusted library allocation

page read and write

7FF848EBC000

trusted library allocation

page execute and read and write

7FF848E2D000

trusted library allocation

page execute and read and write

1B80D000

heap

page read and write

2F35000

trusted library allocation

page read and write

1B5DE000

stack

page read and write

B6D000

heap

page read and write

2F77000

trusted library allocation

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

DC0000

trusted library allocation

page read and write

28C0000

trusted library section

page read and write

7FF849040000

trusted library allocation

page read and write

A40000

heap

page read and write

7FF848EB0000

trusted library allocation

page read and write

D4E000

stack

page read and write

28A0000

trusted library allocation

page read and write

2F48000

trusted library allocation

page read and write

7FF849010000

trusted library allocation

page read and write

13550000

trusted library allocation

page read and write

B6B000

heap

page read and write

2F33000

trusted library allocation

page read and write

7FF848F20000

trusted library allocation

page execute and read and write

5E0000

unkown

page readonly

7FF848FE0000

trusted library allocation

page read and write

2910000

heap

page execute and read and write

B7E000

heap

page read and write

2F7C000

trusted library allocation

page read and write

7FF848E10000

trusted library allocation

page read and write

2F5B000

trusted library allocation

page read and write

D80000

heap

page read and write

AEE000

heap

page read and write

7FF848E03000

trusted library allocation

page execute and read and write

AAF000

heap

page read and write

2F6C000

trusted library allocation

page read and write

2F59000

trusted library allocation

page read and write

2F38000

trusted library allocation

page read and write

2F4A000

trusted library allocation

page read and write

7FF848FF0000

trusted library allocation

page read and write

7FF848EC0000

trusted library allocation

page execute and read and write

AC4000

heap

page read and write

2960000

heap

page read and write

There are 101 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PROFOMA INVOICE-2024-0419 .exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPROFOMA INVOICE-2024-0419 .exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
PROFOMA INVOICE-2024-0419 .exe