Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe

"C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7124
Target ID:	0
Parent PID:	5732
Name:	16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe
Path:	C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe
Commandline:	"C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe"
Size:	157696
MD5:	8205D65F76FA63E73B7685FAF647A048
Time:	13:18:58
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	4288512
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file contains strange resources	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3352
Target ID:	10
Parent PID:	7124
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	13:19:21
Date:	18/12/2021
Reason:	existingprocessinject
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff720ea0000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Users\user\AppData\Roaming\hrsafib

Details

Is windows:	false
Is dropped:	true
PID:	784
Target ID:	16
Parent PID:	664
Name:	hrsafib
Path:	C:\Users\user\AppData\Roaming\hrsafib
Commandline:	C:\Users\user\AppData\Roaming\hrsafib
Size:	157696
MD5:	8205D65F76FA63E73B7685FAF647A048
Time:	13:19:57
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	4288512
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\72E0.exe

Details

Is windows:	false
Is dropped:	true
PID:	1904
Target ID:	21
Parent PID:	3352
Name:	72E0.exe
Path:	C:\Users\user\AppData\Local\Temp\72E0.exe
Commandline:	C:\Users\user\AppData\Local\Temp\72E0.exe
Size:	545280
MD5:	F2F8A2B12CB2E41FFBE135B6ED9B5B7C
Time:	13:20:09
Date:	18/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0xcc0000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\72E0.exe

Details

Is windows:	false
Is dropped:	true
PID:	5272
Target ID:	22
Parent PID:	1904
Name:	72E0.exe
Path:	C:\Users\user\AppData\Local\Temp\72E0.exe
Commandline:	C:\Users\user\AppData\Local\Temp\72E0.exe
Size:	545280
MD5:	F2F8A2B12CB2E41FFBE135B6ED9B5B7C
Time:	13:20:16
Date:	18/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x120000
Modulesize:	573440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\72E0.exe

Details

Is windows:	false
Is dropped:	true
PID:	5456
Target ID:	23
Parent PID:	1904
Name:	72E0.exe
Path:	C:\Users\user\AppData\Local\Temp\72E0.exe
Commandline:	C:\Users\user\AppData\Local\Temp\72E0.exe
Size:	545280
MD5:	F2F8A2B12CB2E41FFBE135B6ED9B5B7C
Time:	13:20:20
Date:	18/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x3d0000
Modulesize:	0
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\2923.exe

Details

Is windows:	false
Is dropped:	true
PID:	2408
Target ID:	27
Parent PID:	3352
Name:	2923.exe
Path:	C:\Users\user\AppData\Local\Temp\2923.exe
Commandline:	C:\Users\user\AppData\Local\Temp\2923.exe
Size:	420954
MD5:	A6995D610D05F1BEFD4D55A11C8316A2
Time:	13:20:27
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	954368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\495E.exe

Details

Is windows:	true
Is dropped:	false
PID:	6032
Target ID:	31
Parent PID:	3352
Name:	495E.exe
Path:	C:\Users\user\AppData\Local\Temp\495E.exe
Commandline:	C:\Users\user\AppData\Local\Temp\495E.exe
Size:	94424
MD5:	EC1105BE312FD184FFC9D7F272D64B87
Time:	13:20:35
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8

Details

Is windows:	true
Is dropped:	false
PID:	3404
Target ID:	29
Parent PID:	5456
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	13:20:28
Date:	18/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xf60000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://45.9.20.240:7769/Igno.exe

45.9.20.240

http://e-lanpengeonline.com/upload/

http://185.112.83.8/InjectHollowing.bin

http://185.112.83.8/install3.exe

185.112.83.8

http://galala.ru/upload/

http://witra.ru/upload/

http://rcacademy.at/upload/

91.139.196.113

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://service.r

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

https://support.google.com/chrome/?p=plugin_real

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://www.interoperabilitybridges.com/wmp-extension-for-chrome

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs