Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BW38j8Jkbl.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.271103985166775
Filename:	BW38j8Jkbl.exe
Filesize:	634880
MD5:	2392a10406f41b602acbbdbbb24e0ff7
SHA1:	9428ec3da5621a909d6cfc52ce3c6297aa97e8bb
SHA256:	b593466df2eb855e58671d6f361c691e4be0f638f1fa17166965e613927684ea
SHA512:	ebd2dc640e1d71a80ebff12219d2e5e335b44ee856144ca83768a286380988432084250aee2a4f4dca8b075e5199e322fd83b6629e70393d1937da07acc14e45
SSDEEP:	6144:60HpX48DnabDczb+x44J8B6jUIMLhTlN1UqCzH7R:jF5Wb4zb74J86jUIMLhZzv2
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..UM..ek..RM..RichSM..................PE..L....b.Z.................p...@....................@........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code	Hooking and other Techniques for Hiding and Protection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Contains functionality to access the windows certificate store	System Summary	Install Root Certificate
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
Executes batch files	System Summary	Scripting Install Root Certificate
Found strings which match to known social media urls	Networking	Install Root Certificate
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Checks if Microsoft Office is installed	System Summary

C:\Users\user\AppData\Local\Temp\6000093.bat

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\6000093.bat
Category:	dropped
Dump:	6000093.bat.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	3.233204299824007
Encrypted:	false
Ssdeep:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
Size:	94
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BW38j8Jkbl.exe

"C:\Users\user\Desktop\BW38j8Jkbl.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7132
Target ID:	0
Parent PID:	2580
Name:	BW38j8Jkbl.exe
Path:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Commandline:	"C:\Users\user\Desktop\BW38j8Jkbl.exe"
Size:	634880
MD5:	2392A10406F41B602ACBBDBBB24E0FF7
Time:	21:47:20
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	638976
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Generic Dropper	Stealing of Sensitive Information
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Executes batch files	System Summary	Scripting
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\BW38j8Jkbl.exe

"C:\Users\user\Desktop\BW38j8Jkbl.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5904
Target ID:	1
Parent PID:	7132
Name:	BW38j8Jkbl.exe
Path:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Commandline:	"C:\Users\user\Desktop\BW38j8Jkbl.exe"
Size:	634880
MD5:	2392A10406F41B602ACBBDBBB24E0FF7
Time:	21:47:27
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	102400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Generic Dropper	Stealing of Sensitive Information
Yara detected Pony	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Executes batch files	System Summary	Scripting
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "

Details

Is windows:	true
Is dropped:	false
PID:	6824
Target ID:	2
Parent PID:	5904
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	21:47:30
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1060
Target ID:	3
Parent PID:	6824
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	21:47:30
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://smartoffice-eg.com/include/rili/shit.exe

144.76.41.117

http://smartoffice-eg.com/include/rili/gate.php

https://smartoffice-eg.com/include/rili/shit.exe

144.76.41.117

http://https://ftp://operawand.dat_Software

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://smartoffice-eg.com/include/rili/gate.phphttp://smartoffice-eg.com/include/rili/shit.exeYUIPWD

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

ftp://http://https://ftp.fireFTPsites.datSeaMonkey

unknown

http://www.ibsensoftware.com/

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

smartoffice-eg.com

144.76.41.117

Details

Name:	smartoffice-eg.com
IP:	144.76.41.117
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

144.76.41.117

smartoffice-eg.com

Germany

Details

IP:	144.76.41.117
TargetID:	1
Current Path:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	smartoffice-eg.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\WinRAR

HWID

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

4296000

direct allocation

page execute and read and write

6B5000

heap

page read and write

2238000

heap

page read and write

28AF000

stack

page read and write

B26000

heap

page read and write

4291000

direct allocation

page execute and read and write

2DB0000

heap

page read and write

6AF000

heap

page read and write

67E000

heap

page read and write

22F0000

heap

page read and write

26AD000

stack

page read and write

1F0000

heap

page read and write

6B5000

heap

page read and write

22A0000

heap

page read and write

2DAF000

stack

page read and write

2140000

trusted library allocation

page read and write

570000

heap

page read and write

2260000

heap

page read and write

2390000

heap

page read and write

19B000

stack

page read and write

55E000

stack

page read and write

682000

heap

page read and write

6B3000

heap

page read and write

AC0000

heap

page read and write

683000

heap

page read and write

29EF000

stack

page read and write

2140000

trusted library allocation

page read and write

2354000

heap

page read and write

2C6F000

stack

page read and write

40A0000

heap

page read and write

2B2F000

stack

page read and write

498000

unkown

page read and write

2CAE000

stack

page read and write

64E000

stack

page read and write

4F0000

heap

page read and write

6B3000

heap

page read and write

6AC000

heap

page read and write

6AC000

heap

page read and write

400000

unkown

page readonly

6AE000

heap

page read and write

683000

heap

page read and write

400000

unkown

page readonly

305D000

stack

page read and write

9B000

stack

page read and write

2B6E000

stack

page read and write

630000

heap

page read and write

6AC000

heap

page read and write

A6F000

stack

page read and write

6B3000

heap

page read and write

670000

heap

page read and write

22D0000

direct allocation

page read and write

28EE000

stack

page read and write

6B3000

heap

page read and write

59E000

stack

page read and write

695000

heap

page read and write

401000

unkown

page execute read

96F000

stack

page read and write

68E000

heap

page read and write

401000

unkown

page execute read

92F000

stack

page read and write

6AD000

heap

page read and write

688000

heap

page read and write

6B3000

heap

page read and write

49A000

unkown

page readonly

6B5000

heap

page read and write

49A000

unkown

page readonly

2F5C000

stack

page read and write

580000

heap

page read and write

6AD000

heap

page read and write

B20000

heap

page read and write

60E000

stack

page read and write

21AC000

stack

page read and write

82F000

stack

page read and write

2270000

heap

page read and write

5CE000

stack

page read and write

2210000

trusted library allocation

page execute read

69A000

heap

page read and write

2250000

heap

page read and write

2350000

heap

page read and write

688000

heap

page read and write

515000

heap

page read and write

6B3000

heap

page read and write

86F000

stack

page read and write

49A000

unkown

page readonly

19B000

stack

page read and write

2230000

heap

page read and write

27AF000

stack

page read and write

97000

stack

page read and write

6B5000

heap

page read and write

2A2E000

stack

page read and write

6AD000

heap

page read and write

510000

heap

page read and write

401000

unkown

page execute read

694000

heap

page read and write

21EE000

stack

page read and write

23A0000

trusted library allocation

page read and write

400000

unkown

page readonly

1F0000

heap

page read and write

22C0000

direct allocation

page execute and read and write

6AD000

heap

page read and write

67A000

heap

page read and write

222E000

stack

page read and write

638000

heap

page read and write

There are 94 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BW38j8Jkbl.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBW38j8Jkbl.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
BW38j8Jkbl.exe