Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\fw8ex1BNek.exe

"C:\Users\user\Desktop\fw8ex1BNek.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1624
Target ID:	0
Parent PID:	5692
Name:	fw8ex1BNek.exe
Path:	C:\Users\user\Desktop\fw8ex1BNek.exe
Commandline:	"C:\Users\user\Desktop\fw8ex1BNek.exe"
Size:	307712
MD5:	6A4B078A500C92AE7BBF3563A49FB100
Time:	15:30:52
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	839680
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains strange resources	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3440
Target ID:	5
Parent PID:	1624
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	15:31:04
Date:	18/12/2021
Reason:	existingprocessinject
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f22f0000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Users\user\AppData\Roaming\acgvitw

Details

Is windows:	false
Is dropped:	true
PID:	1752
Target ID:	11
Parent PID:	936
Name:	acgvitw
Path:	C:\Users\user\AppData\Roaming\acgvitw
Commandline:	C:\Users\user\AppData\Roaming\acgvitw
Size:	307712
MD5:	6A4B078A500C92AE7BBF3563A49FB100
Time:	15:31:42
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	839680
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\DB56.exe

Details

Is windows:	false
Is dropped:	true
PID:	3496
Target ID:	17
Parent PID:	3440
Name:	DB56.exe
Path:	C:\Users\user\AppData\Local\Temp\DB56.exe
Commandline:	C:\Users\user\AppData\Local\Temp\DB56.exe
Size:	545280
MD5:	F2F8A2B12CB2E41FFBE135B6ED9B5B7C
Time:	15:32:02
Date:	18/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\DB56.exe

Details

Is windows:	false
Is dropped:	true
PID:	4272
Target ID:	18
Parent PID:	3496
Name:	DB56.exe
Path:	C:\Users\user\AppData\Local\Temp\DB56.exe
Commandline:	C:\Users\user\AppData\Local\Temp\DB56.exe
Size:	545280
MD5:	F2F8A2B12CB2E41FFBE135B6ED9B5B7C
Time:	15:32:10
Date:	18/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\4924.exe

Details

Is windows:	true
Is dropped:	false
PID:	6316
Target ID:	23
Parent PID:	3440
Name:	4924.exe
Path:	C:\Users\user\AppData\Local\Temp\4924.exe
Commandline:	C:\Users\user\AppData\Local\Temp\4924.exe
Size:	406045
MD5:	4C2D293F6A8F5AB1D869EFDFCD4AD41A
Time:	15:32:29
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	937984
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\8CE5.exe

Details

Is windows:	true
Is dropped:	false
PID:	5548
Target ID:	24
Parent PID:	3440
Name:	8CE5.exe
Path:	C:\Users\user\AppData\Local\Temp\8CE5.exe
Commandline:	C:\Users\user\AppData\Local\Temp\8CE5.exe
Size:	94424
MD5:	EC1105BE312FD184FFC9D7F272D64B87
Time:	15:32:46
Date:	18/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://45.9.20.240:7769/Igno.exe

45.9.20.240

http://e-lanpengeonline.com/upload/

http://185.112.83.8/InjectHollowing.bin

http://185.112.83.8/install3.exe

185.112.83.8

http://galala.ru/upload/

http://witra.ru/upload/

http://rcacademy.at/upload/

211.59.14.90

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://service.r

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

https://support.google.com/chrome/?p=plugin_real

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://www.interoperabilitybridges.com/wmp-extension-for-chrome

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

https://support.google.com/chrome/?p=plugin_pdf

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

https://bastinscustomfab.com/veldolore/scc.exe

50.62.140.96

https://cdn.discordapp.com/attachments/921473641538027521/921473810035793960/Vorticism.exe

162.159.134.233

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://forms.real.com/real/realone/download.html?type=rpsp_us

unknown

http://support.a

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs