Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

EDownloader.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.591503398666959
Filename:	EDownloader.exe
Filesize:	1327952
MD5:	3d92268fec3c1cf2e0e29a47d22a79fb
SHA1:	445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5
SHA256:	20475e541ca6a061eb5dc587784b9a3910bda519ccfd8d009dfcb4fd60fff0b6
SHA512:	d378a3def28412392e4b7426e53d6c2154c1b59c85815559843084d8381f91761cf0d7fd58b88014c69ee3ef215402217249b82e4a64c00dd5dce9674beabc31
SSDEEP:	24576:95ZO2T67qsf6EbDOt20wjgrccMT8wGo20zd:927UdrccNwGo20zd
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........".;.C.h.C.h.C.h.%.i.C.h.%.i C.h.%.i.C.ht..h.C.h.+.i.C.h.+.i.C.h.+.i.C.h.%.i.C.h.%.i.C.h.C.hPB.h.%.i.C.hO.i.C.hO9h.C.h.CQh.C.

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Security Software Discovery Application Window Discovery
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Information Discovery System Shutdown/Reboot
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation Security Software Discovery
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Security Software Discovery Data Encrypted for Impact
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Security Software Discovery Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary	Access Token Manipulation
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Public key (encryption) found	Cryptography	Security Software Discovery Account Discovery System Owner/User Discovery Archive Collected Data
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\EasyLog.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\EasyLog.log
Category:	dropped
Dump:	EasyLog.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\EDownloader.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.9697947247990175
Encrypted:	false
Ssdeep:	3:bRAv+OwnvQNOo2yjEQdVMcLvQNOo2yn:bb34jT7HL4jX
Size:	113
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\EDownloader.exe

"C:\Users\user\Desktop\EDownloader.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3008
Target ID:	0
Parent PID:	1028
Name:	EDownloader.exe
Path:	C:\Users\user\Desktop\EDownloader.exe
Commandline:	"C:\Users\user\Desktop\EDownloader.exe"
Size:	1327952
MD5:	3D92268FEC3C1CF2E0E29A47D22A79FB
Time:	18:18:05
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x520000
Modulesize:	1335296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://www.google.com/https://www.baidu.com/GMT

unknown

https://www.google.com/

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://www.baidu.com/

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

B8E000

stack

page read and write

D13000

heap

page read and write

621000

unkown

page readonly

CCA000

heap

page read and write

CC0000

heap

page read and write

521000

unkown

page execute read

654000

unkown

page read and write

FBE000

stack

page read and write

BD0000

heap

page read and write

621000

unkown

page readonly

C90000

heap

page read and write

654000

unkown

page write copy

D09000

heap

page read and write

EBE000

stack

page read and write

D12000

heap

page read and write

C34000

heap

page read and write

2C10000

trusted library allocation

page read and write

520000

unkown

page readonly

521000

unkown

page execute read

C20000

heap

page read and write

D06000

heap

page read and write

C40000

heap

page read and write

655000

unkown

page write copy

C99000

heap

page read and write

658000

unkown

page readonly

D2F000

heap

page read and write

C95000

heap

page read and write

BCE000

stack

page read and write

6F6000

stack

page read and write

7FB000

stack

page read and write

D09000

heap

page read and write

656000

unkown

page read and write

658000

unkown

page readonly

CCE000

heap

page read and write

D2F000

heap

page read and write

A60000

heap

page read and write

520000

unkown

page readonly

D15000

heap

page read and write

C30000

heap

page read and write

B40000

heap

page read and write

There are 30 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
EDownloader.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportEDownloader.exe

Files

Processes

URLs

Memdumps

IOC Report
EDownloader.exe