Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xuI8pQHlxExL.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.8035401193939826
Filename:	xuI8pQHlxExL.exe
Filesize:	32768
MD5:	ed064734a0bf02c905e63d64a495364b
SHA1:	b5c8e93ccd6aa3457f9727ed319384ba97c9ac71
SHA256:	544a4d7177ed4b85a9c9807fa396e07e3243e2e6c4ce2b0fe0f908d6ee37bdc9
SHA512:	ea54436dec688d075b3d095fb3ea79cce1cd4bb2cb4c7d243517d819a46f8b51b812f16bf982af1db9eeb5816e8ed8578c70e1c3aabcdf50818fe8aedff8776f
SSDEEP:	384:f0bUe5XB4e0XeOhJggUBZIGlWT1tTUFQqzFVkObbR:UT9Bu9zggUBZI567bR
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.&f.................P... ......~g... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	Access Token Manipulation File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xuI8pQHlxExL.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xuI8pQHlxExL.exe.log
Category:	dropped
Dump:	xuI8pQHlxExL.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.243019596074263
Encrypted:	false
Ssdeep:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
Size:	907
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xuI8pQHlxExL.exe

"C:\Users\user\Desktop\xuI8pQHlxExL.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7096
Target ID:	0
Parent PID:	2580
Name:	xuI8pQHlxExL.exe
Path:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Commandline:	"C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Size:	32768
MD5:	ED064734A0BF02C905E63D64A495364B
Time:	19:05:54
Date:	22/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9c0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4488
Target ID:	5
Parent PID:	7096
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xuI8pQHlxExL.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	19:07:17
Date:	22/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5296
Target ID:	6
Parent PID:	4488
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:07:17
Date:	22/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

resilencia2023.duckdns.org

Details

Name:	resilencia2023.duckdns.org
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://go.microsoft.

unknown

http://go.microsoft.LinkId=42127

unknown

Details

Name:	http://go.microsoft.LinkId=42127
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Source:	xuI8pQHlxExL.exe, 00000000.00000002.2476333254.0000000000F11000.00000004.00000020.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

resilencia2023.duckdns.org

179.14.8.182

Details

Name:	resilencia2023.duckdns.org
IP:	179.14.8.182
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

179.14.8.182

resilencia2023.duckdns.org

Colombia

Details

IP:	179.14.8.182
TargetID:	0
Current Path:	C:\Users\user\Desktop\xuI8pQHlxExL.exe
Country:	Colombia
Countrycode:	COL
ASN number:	27831
ASN name:	ColombiaMovilCO
Private:	false
Domain:	resilencia2023.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\SOFTWARE\8abd92e56969

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

9C2000

unkown

page readonly

3021000

trusted library allocation

page read and write

52E0000

heap

page read and write

1302000

trusted library allocation

page read and write

69C0000

heap

page read and write

1368000

trusted library allocation

page read and write

5CC0000

heap

page read and write

5D30000

heap

page read and write

52AC000

stack

page read and write

10DA000

trusted library allocation

page execute and read and write

E40000

heap

page read and write

52C0000

trusted library allocation

page execute and read and write

F85000

heap

page read and write

E20000

heap

page read and write

F73000

heap

page read and write

3075000

trusted library allocation

page read and write

1307000

trusted library allocation

page execute and read and write

5770000

trusted library allocation

page execute and read and write

EE0000

heap

page read and write

10BA000

trusted library allocation

page execute and read and write

358A000

trusted library allocation

page read and write

53EE000

stack

page read and write

5CBD000

stack

page read and write

5BBB000

stack

page read and write

10E0000

trusted library allocation

page read and write

2E20000

heap

page read and write

F90000

heap

page read and write

1070000

heap

page read and write

10B2000

trusted library allocation

page execute and read and write

134E000

stack

page read and write

6AD0000

heap

page read and write

2F90000

heap

page read and write

2F7E000

stack

page read and write

D56000

stack

page read and write

566E000

stack

page read and write

2F80000

heap

page read and write

6AC0000

heap

page read and write

E26000

heap

page read and write

5329000

stack

page read and write

5170000

trusted library allocation

page execute and read and write

F7A000

heap

page read and write

9C0000

unkown

page readonly

3590000

trusted library allocation

page read and write

F44000

heap

page read and write

7FC40000

trusted library allocation

page execute and read and write

552E000

stack

page read and write

30BE000

trusted library allocation

page read and write

E0C000

stack

page read and write

1400000

heap

page read and write

562F000

stack

page read and write

10D0000

trusted library allocation

page read and write

2BBD000

stack

page read and write

54EE000

stack

page read and write

57F0000

heap

page read and write

10C2000

trusted library allocation

page execute and read and write

C5A000

stack

page read and write

10F0000

heap

page read and write

F6A000

heap

page read and write

10CA000

trusted library allocation

page execute and read and write

35B0000

trusted library allocation

page read and write

10A0000

trusted library allocation

page read and write

DC0000

heap

page read and write

E45000

heap

page read and write

2CDE000

stack

page read and write

515F000

stack

page read and write

1100000

heap

page read and write

5160000

trusted library allocation

page read and write

10D7000

trusted library allocation

page execute and read and write

9C8000

unkown

page readonly

525B000

stack

page read and write

5800000

heap

page read and write

EAE000

heap

page read and write

1300000

trusted library allocation

page read and write

D59000

stack

page read and write

5D35000

heap

page read and write

F4F000

heap

page read and write

130B000

trusted library allocation

page execute and read and write

F6E000

heap

page read and write

2ABD000

stack

page read and write

515D000

stack

page read and write

5260000

trusted library allocation

page read and write

52B0000

trusted library allocation

page read and write

3410000

heap

page read and write

1430000

heap

page execute and read and write

309E000

unkown

page read and write

309A000

trusted library allocation

page read and write

32FF000

stack

page read and write

DB0000

heap

page read and write

10C0000

trusted library allocation

page read and write

310C000

heap

page read and write

10EA000

trusted library allocation

page execute and read and write

521C000

stack

page read and write

10E2000

trusted library allocation

page execute and read and write

F48000

heap

page read and write

F11000

heap

page read and write

2F3E000

unkown

page read and write

5880000

heap

page read and write

EA0000

heap

page read and write

4021000

trusted library allocation

page read and write

35B8000

trusted library allocation

page read and write

576E000

stack

page read and write

E8C000

stack

page read and write

52E3000

heap

page read and write

505B000

stack

page read and write

3100000

heap

page read and write

There are 95 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xuI8pQHlxExL.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxuI8pQHlxExL.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xuI8pQHlxExL.exe