Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xtnhsVjQTxvH.exe

"C:\Users\user\Desktop\xtnhsVjQTxvH.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6860
Target ID:	0
Parent PID:	2580
Name:	xtnhsVjQTxvH.exe
Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Commandline:	"C:\Users\user\Desktop\xtnhsVjQTxvH.exe"
Size:	356352
MD5:	10FB9B71859BFC7AE5AFF462A88ADE70
Time:	21:50:51
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x570000
Modulesize:	385024
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

2%b@)=Y3[YWrz<S

Details

Name:	2%b@)=Y3[YWrz<S
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Source:	config extractor
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://api.ipify.org/

unknown

http://freegeoip.net/xml/

unknown

http://schemas.datacontract.org/2004/07/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Source:	xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/json/

208.95.112.1

Details

Name:	http://ip-api.com/json/
IP:	208.95.112.1
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

Domains

Name

Malicious

proxybreve.duckdns.org

94.156.79.26

Details

Name:	proxybreve.duckdns.org
IP:	94.156.79.26
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

94.156.79.26

proxybreve.duckdns.org

Bulgaria

Details

IP:	94.156.79.26
TargetID:	0
Current Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	proxybreve.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

208.95.112.1

ip-api.com

United States

Details

IP:	208.95.112.1
TargetID:	0
Current Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Country:	United States
Countrycode:	USA
ASN number:	53334
ASN name:	TUT-ASUS
Private:	false
Domain:	ip-api.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\xtnhsVjQTxvH_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

572000

unkown

page readonly

28F1000

trusted library allocation

page read and write

D90000

trusted library allocation

page read and write

6470000

trusted library allocation

page read and write

2692000

trusted library allocation

page read and write

28A1000

trusted library allocation

page read and write

DAD000

trusted library allocation

page execute and read and write

D70000

heap

page read and write

4A8E000

stack

page read and write

38F1000

trusted library allocation

page read and write

DB3000

trusted library allocation

page read and write

2740000

heap

page read and write

B55000

heap

page read and write

663D000

stack

page read and write

DA3000

trusted library allocation

page execute and read and write

EEA000

heap

page read and write

28AD000

trusted library allocation

page read and write

64F0000

trusted library allocation

page execute and read and write

684E000

stack

page read and write

6E80000

heap

page read and write

53C8000

heap

page read and write

2850000

trusted library allocation

page execute and read and write

2929000

trusted library allocation

page read and write

289E000

trusted library allocation

page read and write

A30000

heap

page read and write

5B6E000

stack

page read and write

A10000

heap

page read and write

694F000

stack

page read and write

4DF7000

trusted library allocation

page read and write

284F000

stack

page read and write

B50000

heap

page read and write

DD0000

heap

page read and write

9C0000

heap

page read and write

502B000

heap

page read and write

4FB0000

heap

page read and write

A5A000

heap

page read and write

A4E000

heap

page read and write

4EAE000

stack

page read and write

48F8000

trusted library allocation

page read and write

958000

stack

page read and write

288E000

trusted library allocation

page read and write

3901000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

2690000

trusted library allocation

page read and write

5CA000

unkown

page readonly

859000

stack

page read and write

4F00000

heap

page read and write

DD7000

heap

page read and write

570000

unkown

page readonly

AAD000

heap

page read and write

4DF0000

trusted library allocation

page read and write

28C0000

trusted library allocation

page read and write

28B2000

trusted library allocation

page read and write

26B0000

trusted library allocation

page read and write

6480000

trusted library allocation

page read and write

502F000

heap

page read and write

2860000

trusted library allocation

page read and write

EE0000

heap

page read and write

4EC0000

heap

page execute and read and write

50B0000

heap

page read and write

28E0000

heap

page execute and read and write

53B0000

heap

page read and write

DA0000

trusted library allocation

page read and write

EE7000

heap

page read and write

D93000

trusted library allocation

page read and write

2998000

trusted library allocation

page read and write

53AC000

stack

page read and write

26FE000

stack

page read and write

269B000

trusted library allocation

page execute and read and write

DBD000

trusted library allocation

page execute and read and write

DCA000

trusted library allocation

page execute and read and write

4DE0000

trusted library allocation

page read and write

DA4000

trusted library allocation

page read and write

9D0000

trusted library allocation

page read and write

4FCD000

heap

page read and write

7FA70000

trusted library allocation

page execute and read and write

54B0000

heap

page read and write

2870000

trusted library allocation

page read and write

64E0000

trusted library allocation

page read and write

273C000

stack

page read and write

A67000

heap

page read and write

2884000

trusted library allocation

page read and write

2892000

trusted library allocation

page read and write

653E000

stack

page read and write

4E4C000

stack

page read and write

DC0000

trusted library allocation

page read and write

630F000

stack

page read and write

DC2000

trusted library allocation

page read and write

28A6000

trusted library allocation

page read and write

288B000

trusted library allocation

page read and write

DC6000

trusted library allocation

page execute and read and write

289A000

trusted library allocation

page read and write

2886000

trusted library allocation

page read and write

64D0000

trusted library allocation

page execute and read and write

6460000

trusted library allocation

page execute and read and write

6450000

trusted library allocation

page read and write

28D0000

trusted library allocation

page read and write

5126000

heap

page read and write

620D000

stack

page read and write

A38000

heap

page read and write

2880000

trusted library allocation

page read and write

2C8A000

trusted library allocation

page read and write

2697000

trusted library allocation

page execute and read and write

4FF2000

heap

page read and write

There are 94 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xtnhsVjQTxvH.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxtnhsVjQTxvH.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xtnhsVjQTxvH.exe