Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

C:\ProgramData\DAECFIJDAAAKECBFCGHIJKFCGD

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\DBKKFCBAKKFBGCBFHJDGDGDHCA

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

C:\ProgramData\EHJDGCBG

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\FBKECFII

SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\HCGCAAKJDHJJJJJKKKFBKFBAEB

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\HDAAAAFI

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\HDAAAAFIIJDBGDGCGDAK

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\HJJKFBGC

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\HJJKFBGCFHCGDHIDAAEC

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm

HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

data

dropped

There are 16 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6572
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	402432
MD5:	29F54FAD89DEED256700D488427191F5
Time:	14:21:56
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x390000
Modulesize:	417792
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6464
Target ID:	2
Parent PID:	6572
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	14:21:56
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6712
Target ID:	1
Parent PID:	6572
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:21:56
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://player.vimeo.com

unknown

https://duckduckgo.com/ac/?q=

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://37.27.87.155/sqln.dll;1

unknown

https://37.27.87.155/freebl3.dlla

unknown

https://37.27.87.155/sqln.dll

37.27.87.155

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016exe

unknown

https://37.27.87.155/ramData

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://37.27.87.155/bt

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://37.27.87.155/softokn3.dll

37.27.87.155

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17e

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english

unknown

https://37.27.87.155/rt

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jU8h8CqVh6FY&l=e

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://37.27.87.155/nss3.dll

37.27.87.155

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://mozilla.org0/

unknown

https://37.27.87.155CGHCG

unknown

https://37.27.87.155/vcruntime140.dll

37.27.87.155

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://37.27.87.155/msvcp140.dlle

unknown

https://store.steampowered.com/points/shop/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://sketchfab.com

unknown

https://steamcommunity.com/profiles/76561199673019888/badges

unknown

https://www.ecosia.org/newtab/

unknown

https://lv.queniujq.cn

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://www.youtube.com/

unknown

https://37.27.87.155/Ru3

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://37.27.87.155/msvcp140.dll

37.27.87.155

https://www.google.com/recaptcha/

unknown

https://37.27.87.155/

37.27.87.155

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

https://37.27.87.155/vcruntime140.dllv

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://t.me/irfailAt

unknown

https://37.27.87.155/:

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

https://37.27.87.155/freebl3.dll

37.27.87.155

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://steamcommunity.com/profiles/76561199673019888Upp

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://37.27.87.155/27.87.155/nss3.dll

unknown

https://37.27.87.155/X

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://37.27.87.155/P

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a

unknown

https://37.27.87.155/M

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

23.76.43.59

Details

Name:	steamcommunity.com
IP:	23.76.43.59
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

37.27.87.155

unknown

Iran (ISLAMIC Republic Of)

Details

IP:	37.27.87.155
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	39232
ASN name:	UNINETAZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

23.76.43.59

steamcommunity.com

United States

Details

IP:	23.76.43.59
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	19037
ASN name:	AMXArgentinaSAAR
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3BE000

unkown

page read and write

1422000

heap

page read and write

400000

remote allocation

page execute and read and write

DF0000

heap

page read and write

E9BD000

stack

page read and write

19A10000

direct allocation

page execute and read and write

9D000

stack

page read and write

3F2000

unkown

page execute and read and write

3F4000

unkown

page readonly

136AF000

stack

page read and write

9F3F000

stack

page read and write

19A11000

direct allocation

page execute read

6C752000

unkown

page readonly

10EB000

stack

page read and write

D8C000

stack

page read and write

CA0000

heap

page read and write

6C8FF000

unkown

page readonly

19C5F000

direct allocation

page readonly

390000

unkown

page readonly

13850000

heap

page read and write

391000

unkown

page execute read

19C1F000

direct allocation

page readonly

129E000

stack

page read and write

514000

remote allocation

page execute and read and write

19EF5000

heap

page read and write

19F73000

heap

page read and write

13860000

heap

page read and write

14B6000

heap

page read and write

131E000

stack

page read and write

13C12000

heap

page read and write

13984000

heap

page read and write

139D000

stack

page read and write

15AE000

heap

page read and write

6CE000

heap

page read and write

EB9D000

stack

page read and write

19A18000

direct allocation

page execute read

1C52E000

stack

page read and write

6C93F000

unkown

page write copy

19C28000

direct allocation

page readonly

63F000

remote allocation

page execute and read and write

135D000

stack

page read and write

10F3000

stack

page read and write

3BE000

unkown

page write copy

1116E000

stack

page read and write

200000

heap

page read and write

3B4000

unkown

page readonly

10EF000

stack

page read and write

110DD000

stack

page read and write

11D5000

heap

page read and write

1371C000

stack

page read and write

13EE000

heap

page read and write

14CF000

heap

page read and write

EA3E000

stack

page read and write

511000

remote allocation

page execute and read and write

220000

heap

page read and write

10F8000

stack

page read and write

19EF0000

heap

page read and write

13AA000

heap

page read and write

51A000

remote allocation

page execute and read and write

160E000

heap

page read and write

13CBB000

heap

page read and write

3B4000

unkown

page readonly

9BF000

stack

page read and write

19C5D000

direct allocation

page readonly

11E0000

heap

page read and write

13AB4000

heap

page read and write

390000

unkown

page readonly

12C0000

heap

page read and write

6CA000

heap

page read and write

19C52000

direct allocation

page read and write

434000

remote allocation

page execute and read and write

13A0000

heap

page read and write

6C74E000

unkown

page read and write

6C6C0000

unkown

page readonly

1381D000

stack

page read and write

EB3F000

stack

page read and write

37E000

stack

page read and write

6C6C1000

unkown

page execute read

1210000

heap

page read and write

14CB000

heap

page read and write

C47C000

stack

page read and write

14BF000

heap

page read and write

11D0000

heap

page read and write

ABF000

stack

page read and write

19F61000

heap

page read and write

6C761000

unkown

page execute read

140B000

heap

page read and write

6C93E000

unkown

page read and write

391000

unkown

page execute read

13AAD000

heap

page read and write

13BF4000

heap

page read and write

125E000

stack

page read and write

75BE000

stack

page read and write

5F1000

remote allocation

page execute and read and write

6C0000

heap

page read and write

10FC000

stack

page read and write

558000

remote allocation

page execute and read and write

6C73D000

unkown

page readonly

6C940000

unkown

page read and write

19DAE000

stack

page read and write

13CB9000

heap

page read and write

19B76000

direct allocation

page execute read

3F3000

unkown

page read and write

1F0000

heap

page read and write

6C760000

unkown

page readonly

19C5A000

direct allocation

page readonly

6C945000

unkown

page readonly

121A000

heap

page read and write

3F4000

unkown

page readonly

9AFE000

stack

page read and write

19C1D000

direct allocation

page execute read

19D000

stack

page read and write

136C0000

heap

page read and write

63E000

stack

page read and write

There are 104 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe