Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.175068416693566
Filename:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe
Filesize:	1761280
MD5:	44ba489fd3a12bd062c96421145d2d2f
SHA1:	867383ba1ed8a9760c4051beb1a694fa662758f9
SHA256:	161a2f35c23c46ab65bdb91ed5cc720919b96d11fc6b9a8d2a9498d2ec35fc84
SHA512:	2150eb86cfc11dab5c52fc16e8c33195b5f65a2ecbf0ae9df921686318e75ca9c8363b98262563284f6d0a1086faa4f0d9a1f959363e6bfd6c3ed4a463133aa0
SSDEEP:	24576:6zCGa8qTBe+fAKzWoITfJPSIOa06rexSSsI8HW5QRuk8rqFnng59GbL6bF5TnC:6zCAq30gKSVqlgskF5T
Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM................. ...Z.......-.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9d50f1a2eb86aa236a701d83e0f8c17bb555f3_2ef1b157_e76709af-2bca-4fd8-aeaf-5d9a60530078\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9d50f1a2eb86aa236a701d83e0f8c17bb555f3_2ef1b157_e76709af-2bca-4fd8-aeaf-5d9a60530078\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6864404096911639
Encrypted:	false
Ssdeep:	192:9vki1cSn2L0BU/zjQjEzuiFFZ24IO8iE8J:Fki1cSn2YBU/zjQjEzuiFFY4IO8iE8J
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER866C.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:42 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER866C.tmp.dmp
Category:	dropped
Dump:	WER866C.tmp.dmp.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:42 2024, 0x1205a4 type
Entropy:	1.9643119800734063
Encrypted:	false
Ssdeep:	96:50t8HE3MvCVyoVLP8tCIi7nEKnOOYC3CCnxo6tgBWIkWIIRUI4Ggz1iF7sK4:e2L5OLkgIO3nMECCna6uqGgzcFJ4
Size:	18598
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86AB.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER86AB.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER86AB.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.702395023636562
Encrypted:	false
Ssdeep:	192:R6l7wVeJMm/w6Yma6YNbSU9Zgmf43P+prt89bDvsffBm:R6lXJMmI6M6YhSU9Zgmf4fBDUfE
Size:	8494
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EB.tmp.xml
Category:	dropped
Dump:	WER86EB.tmp.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.58004934700169
Encrypted:	false
Ssdeep:	48:cvIwWl8zsVJg77aI9PHAbHzrWpW8VYzYm8M4JmxF4+q8NlI+j3d:uIjfvI7mK7VrJ3GI+j3d
Size:	4834
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416942094502225
Encrypted:	false
Ssdeep:	6144:Pcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNe5+:0i58oSWIZBk2MM6AFBYo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1072
Target ID:	0
Parent PID:	4056
Name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe"
Size:	1761280
MD5:	44BA489FD3A12BD062C96421145D2D2F
Time:	05:30:41
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1761280
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232

Details

Is windows:	true
Is dropped:	false
PID:	6440
Target ID:	4
Parent PID:	1072
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	05:30:41
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://mc.qzone.qq.com/cgi-bin/cgi_sale_product

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_help_pasture

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_raise_cub

unknown

http://ctc.appimg.qq.com/mc/module/mc/main/farmui2_v_19.swf

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_harvest_product

unknown

http://www.23gua.comopenS3

unknown

http://api.23gua.com/fy/farm.htmlU

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_upgrade

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_animals

unknown

http://www.indyproject.org/

unknown

http://mc.xiaoyou.qq.com/animalConfig.xml

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_enter

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting

unknown

http://appimg.qq.com/happyfarm/module/Main2_v_9.swf

unknown

http://base.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_donate_animal

unknown

http://www.23gua.com

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_donate_animal

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_post_product

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying

unknown

http://www.23gua.cm

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water

unknown

http://www.clamav.net

unknown

http://api.23gua.com/fy/

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_attack_beast

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_sale_product

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll

unknown

http://ptlogin2.qq.com/getimage?aid=353&U

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_upgrade

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_enter

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_up_animalhouse

unknown

http://ctc.appimg.qq.com/mc/module/mc/main/farmui1_v_25.swf

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_buy_animal

unknown

http://ad.23gua.com/pasture.html

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_steal_product

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_post_product

unknown

http://www.23gua.comopen

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_feed_food

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_fight

unknown

http://api.23gua.com/fy/farm.xml

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge

unknown

http://captcha.qq.com/getimage?aid=10000101&vc_type=

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_feed_food

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_get_repertory?target=animal

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_fight

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_steal_product

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_pickup_crystal

unknown

http://api.23gua.com/fy/farm.html

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run

unknown

http://ctc.appimg.qq.com/mc/module/mc/main/commonui_v_5.swf?v=1

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_pickup_crystal

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getusercrop?f=1

unknown

http://ad.23gua.com/farm.html

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge

unknown

Http://ptlogin2.qq.com/check?uin=

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_raise_cub

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_attack_beast

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=

unknown

http://appimg.qq.com/happyfarm/module/Main2_v_6.swf

unknown

http://api.23gua.com/farm/key.xml

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_ini_run_v2?v=12

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water

unknown

http://mc.qzone.qq.com/animalConfig.xml

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend

unknown

http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay

unknown

http://upx.sf.net

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_get_package

unknown

http://api.23gua.com/fy/card.xml

unknown

http://ptlogin2.qq.com/login?u=

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_get_animals

unknown

http://ptlogin2.qq.com/getimage?aid=353&

unknown

http://mc.qzone.qq.com/cgi-bin/cgi_harvest_product

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3

unknown

http://ctc.appimg.qq.com/mc/module/Master2_v_5.swf

unknown

http://api.23gua.com/fy/QQ

unknown

http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run

unknown

http://nc.qzone.qq.com/cgi-bin/cgi_farm_getusercrop?f=1

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_buy_animal

unknown

http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_repertory?target=animal

unknown

http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay

unknown

http://appimg.qq.com/happyfarm/module/loading2_v_1.swf

unknown

There are 90 hidden URLs, click here to show them.