Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

o4XzTr73Ut.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.533807802412177
Filename:	o4XzTr73Ut.exe
Filesize:	96864
MD5:	f65536b785611d1b549e8d866fc898ee
SHA1:	ac5d59453273ad0b026d1cd244c422cc020b94b0
SHA256:	a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
SHA512:	9b70f75e5f3345062301b12ddf8572b63adfcfeb6b40b518d53e3f639c47c2de43d7f8e84f975a08a092ef9cb7adedf4c1a1d47458e37932906e8972f67aff59
SSDEEP:	1536:4/T2X/jN2vxZz0DTHUpouMJbdxE+1KloObnlpRaH3OS3kg/S5ERghv0HUxyEMbq:4bG7N2kDTHUpouMJbdPKlJnjRaH+ckgj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information
Tries to detect Any.run	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Enables debug privileges	Anti Debugging
Is looking for software installed on the system	Malware Analysis System Evasion	Process Discovery System Information Discovery
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to detect virtual machines (SLDT)	Malware Analysis System Evasion	Access Token Manipulation Virtualization/Sandbox Evasion
PE / OLE file has an invalid certificate	System Summary
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Queries process information (via WMI, Win32_Process)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Virtualization/Sandbox Evasion
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Queries a list of all running drivers	Malware Analysis System Evasion
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o4XzTr73Ut.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o4XzTr73Ut.exe.log
Category:	dropped
Dump:	o4XzTr73Ut.exe.log.12.dr
ID:	dr_3
Target ID:	12
Process:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3192079301865585
Encrypted:	false
Ssdeep:	48:MIHKmfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHqHAH5HX:Pqaq5qXAqLqdqUqzcGYqhQnoPtIxHbq4
Size:	2291
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\Roqueforter8.dat

DOS executable (COM)

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Roqueforter8.dat
Category:	dropped
Dump:	Roqueforter8.dat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Type:	DOS executable (COM)
Entropy:	7.721891011566723
Encrypted:	false
Ssdeep:	768:X8MEeT9K2b7oV3U/DTT6MviYn6PMoyqxekjpbNmUfFnm0LxfK/Zj1s8zLgwVTJN:X7N7b7oJqT6o6PMoNj9pfFNdfK/Zje8Z
Size:	47562
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\a.txt

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\a.txt
Category:	dropped
Dump:	a.txt.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Type:	ASCII text, with no line terminators
Entropy:	2.2068570640942187
Encrypted:	false
Ssdeep:	3:jNDBfN:jNVfN
Size:	23
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsb3A92.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.814115788739565
Encrypted:	false
Ssdeep:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Size:	12288
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\o4XzTr73Ut.exe

"C:\Users\user\Desktop\o4XzTr73Ut.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6892
Target ID:	0
Parent PID:	5320
Name:	o4XzTr73Ut.exe
Path:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Commandline:	"C:\Users\user\Desktop\o4XzTr73Ut.exe"
Size:	96864
MD5:	F65536B785611D1B549E8D866FC898EE
Time:	10:59:48
Date:	20/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\Desktop\o4XzTr73Ut.exe

"C:\Users\user\Desktop\o4XzTr73Ut.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6324
Target ID:	12
Parent PID:	6892
Name:	o4XzTr73Ut.exe
Path:	C:\Users\user\Desktop\o4XzTr73Ut.exe
Commandline:	"C:\Users\user\Desktop\o4XzTr73Ut.exe"
Size:	96864
MD5:	F65536B785611D1B549E8D866FC898EE
Time:	11:01:10
Date:	20/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1388544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://service.r

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

https://support.google.com/chrome/?p=plugin_real

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultl

unknown

http://www.interoperabilitybridges.com/wmp-extension-for-chrome

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

https://support.google.com/chrome/?p=plugin_pdf

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://forms.real.com/real/realone/download.html?type=rpsp_us

unknown

http://support.a

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe

unknown

https://support.google.com/chrome/?p=plugin_quicktime

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

https://support.google.com/chrome/?p=plugin_shockwave

unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs