Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

"C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3872
Target ID:	0
Parent PID:	2580
Name:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Commandline:	"C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe"
Size:	243200
MD5:	AB696103426E266ED3729C899E11E778
Time:	10:16:15
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument

149.154.167.220

Details

Name:	https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/sendDocument
IP:	149.154.167.220
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org

unknown

Details

Name:	https://api.telegram.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/

unknown

Details

Name:	https://api.telegram.org/bot6407972891:AAEvOm4dEtVGh3Nk7hoxcq00ys_9pap2veU/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

http://api.telegram.org

unknown

Details

Name:	http://api.telegram.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026DA000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Source:	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe, 00000000.00000002.2889163730.00000000026C6000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	0
Current Path:	C:\Users\user\Desktop\17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2671000

trusted library allocation

page read and write

26DA000

trusted library allocation

page read and write

26BE000

trusted library allocation

page read and write

242000

unkown

page readonly

850000

trusted library allocation

page read and write

6340000

trusted library allocation

page read and write

25EE000

trusted library allocation

page read and write

5B70000

heap

page read and write

A3A000

heap

page read and write

380000

heap

page read and write

BC0000

trusted library allocation

page read and write

860000

trusted library allocation

page read and write

260D000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

2660000

heap

page execute and read and write

9A5000

trusted library allocation

page execute and read and write

9E6000

heap

page read and write

24D8000

trusted library allocation

page read and write

9D8000

heap

page read and write

9B0000

heap

page read and write

4C70000

heap

page read and write

9A2000

trusted library allocation

page read and write

5BCD000

heap

page read and write

25C0000

trusted library allocation

page read and write

4FFD000

stack

page read and write

2620000

trusted library allocation

page read and write

24C0000

heap

page read and write

9BE000

heap

page read and write

A64000

heap

page read and write

51C6000

trusted library allocation

page read and write

86D000

trusted library allocation

page execute and read and write

25FA000

trusted library allocation

page read and write

4C50000

trusted library allocation

page read and write

870000

heap

page read and write

886000

heap

page read and write

6F9000

stack

page read and write

4C60000

heap

page execute and read and write

C16000

heap

page read and write

840000

trusted library allocation

page read and write

C0E000

stack

page read and write

26D6000

trusted library allocation

page read and write

854000

trusted library allocation

page read and write

3671000

trusted library allocation

page read and write

4BEC000

stack

page read and write

6330000

trusted library allocation

page read and write

632E000

stack

page read and write

26C2000

trusted library allocation

page read and write

5B9F000

heap

page read and write

6337000

trusted library allocation

page read and write

880000

heap

page read and write

99A000

trusted library allocation

page execute and read and write

4C58000

trusted library allocation

page read and write

60EE000

stack

page read and write

C10000

heap

page read and write

2606000

trusted library allocation

page read and write

9F9000

heap

page read and write

6350000

trusted library allocation

page read and write

992000

trusted library allocation

page read and write

85D000

trusted library allocation

page execute and read and write

51C0000

trusted library allocation

page read and write

4D7C000

stack

page read and write

50FE000

stack

page read and write

5AB0000

trusted library allocation

page execute and read and write

3699000

trusted library allocation

page read and write

9B8000

heap

page read and write

521D000

stack

page read and write

25EB000

trusted library allocation

page read and write

6380000

heap

page read and write

A61000

heap

page read and write

5BDB000

heap

page read and write

6470000

trusted library allocation

page execute and read and write

25F2000

trusted library allocation

page read and write

61EE000

stack

page read and write

A2F000

heap

page read and write

996000

trusted library allocation

page execute and read and write

9A7000

trusted library allocation

page execute and read and write

25FE000

trusted library allocation

page read and write

990000

trusted library allocation

page read and write

51D0000

trusted library allocation

page execute and read and write

4FBE000

stack

page read and write

9F3000

heap

page read and write

7F7C0000

trusted library allocation

page execute and read and write

51B0000

heap

page read and write

9AB000

trusted library allocation

page execute and read and write

26FB000

trusted library allocation

page read and write

4C3E000

stack

page read and write

2612000

trusted library allocation

page read and write

A5E000

heap

page read and write

5C12000

heap

page read and write

25E0000

trusted library allocation

page read and write

A58000

heap

page read and write

2630000

trusted library allocation

page read and write

25B0000

trusted library allocation

page execute and read and write

5AAD000

stack

page read and write

4AB0000

heap

page read and write

25E6000

trusted library allocation

page read and write

810000

heap

page read and write

5B77000

heap

page read and write

476D000

stack

page read and write

26F7000

trusted library allocation

page read and write

31A000

stack

page read and write

2601000

trusted library allocation

page read and write

26BC000

trusted library allocation

page read and write

6500000

heap

page read and write

9F0000

heap

page read and write

26C6000

trusted library allocation

page read and write

51AC000

trusted library allocation

page read and write

27E000

unkown

page readonly

36DA000

trusted library allocation

page read and write

390000

heap

page read and write

240000

unkown

page readonly

4EBE000

stack

page read and write

60AE000

stack

page read and write

5EAE000

stack

page read and write

4C73000

heap

page read and write

5A6D000

stack

page read and write

853000

trusted library allocation

page execute and read and write

4E7E000

stack

page read and write

622E000

stack

page read and write

26E9000

trusted library allocation

page read and write

5FAF000

stack

page read and write

25D0000

trusted library allocation

page read and write

24BF000

stack

page read and write

25AC000

stack

page read and write

5AC0000

trusted library allocation

page read and write

5B73000

heap

page read and write

There are 116 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe