Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

b123.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.3696021074244396
Filename:	b123.exe
Filesize:	235352
MD5:	2e89a7aae558e9be86042e2bd7e65803
SHA1:	64e85269651f0a475d0a94eb98cd3adbf3061e10
SHA256:	7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
SHA512:	333d17a364c4e3b226de86dfb3cc2b74684c4a37a30d3e690ca69c4be2119f4f4184ea59c7557cfccf4ce78f8c3bc67f0a4360fd465cd8bb44808ab4ccb07f1b
SSDEEP:	3072:iq0Je2P1VU4W3gwbBPWq3rZP55Zu3DtYyprz8gJy436s+OssN+uQSYftoyQ4tpvG:iq0rnURb0K742Ajx3qSYe94tpvURSYOc
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................................p.............@.................................u......................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Detected CryptOne packer	Data Obfuscation
Detected unpacking (changes PE section rights)	Data Obfuscation
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking locale)	Malware Analysis System Evasion	Native API Virtualization/Sandbox Evasion
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses 32bit PE files	Compliance, System Summary	Masquerading
Antivirus or Machine Learning detection for unpacked file	AV Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Is looking for software installed on the system	Malware Analysis System Evasion	Process Discovery
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file contains an invalid checksum	Data Obfuscation
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
PE file contains strange resources	System Summary
Contains functionality to read the PEB	Anti Debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
May check if the current machine is a sandbox (GetTickCount - Sleep)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to query local / system time	Language, Device and Operating System Detection
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary
SQL strings found in memory and binary data	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to download additional files from the internet	Networking
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery
PE file imports many functions	System Summary

C:\Users\user\Desktop\4OZ5FKFU

SQLite 3.x database, last written using SQLite version 3032001

dropped

Details

File:	C:\Users\user\Desktop\4OZ5FKFU
Category:	dropped
Dump:	4OZ5FKFU.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\b123.exe
Type:	SQLite 3.x database, last written using SQLite version 3032001
Entropy:	1.1874185457069584
Encrypted:	false
Ssdeep:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
Size:	73728
Whitelisted:	false
Reputation:	high

C:\Users\user\Desktop\GLFUAS2V

SQLite 3.x database, last written using SQLite version 3032001

dropped

Details

File:	C:\Users\user\Desktop\GLFUAS2V
Category:	dropped
Dump:	GLFUAS2V.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\b123.exe
Type:	SQLite 3.x database, last written using SQLite version 3032001
Entropy:	0.698304057893793
Encrypted:	false
Ssdeep:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
Size:	20480
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\Desktop\I5PPP8YC

SQLite 3.x database, last written using SQLite version 3032001

dropped

Details

File:	C:\Users\user\Desktop\I5PPP8YC
Category:	dropped
Dump:	I5PPP8YC.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\b123.exe
Type:	SQLite 3.x database, last written using SQLite version 3032001
Entropy:	0.4507667042986948
Encrypted:	false
Ssdeep:	96:V/WU+bDoYysX0uhnydVjN9DLjGQLBE3u:V/l+bDo3irhnydVj3XBBE3u
Size:	118784
Whitelisted:	false
Reputation:	timeout

C:\Users\user\Desktop\M790ZMO8

SQLite 3.x database, last written using SQLite version 3032001

dropped

Details

File:	C:\Users\user\Desktop\M790ZMO8
Category:	dropped
Dump:	M790ZMO8.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\b123.exe
Type:	SQLite 3.x database, last written using SQLite version 3032001
Entropy:	0.792852251086831
Encrypted:	false
Ssdeep:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
Size:	40960
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\b123.exe

"C:\Users\user\Desktop\b123.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2140
Target ID:	0
Parent PID:	2532
Name:	b123.exe
Path:	C:\Users\user\Desktop\b123.exe
Commandline:	"C:\Users\user\Desktop\b123.exe"
Size:	235352
MD5:	2E89A7AAE558E9BE86042E2BD7E65803
Time:	23:51:57
Date:	22/03/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	245760
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Del in CommandLine	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Cmd Delete File	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file imports many functions	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit

Details

Is windows:	true
Is dropped:	false
PID:	5844
Target ID:	2
Parent PID:	2140
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\b123.exe" & exit
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	23:52:10
Date:	22/03/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1100000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Del in CommandLine	System Summary
Sigma detected: Windows Cmd Delete File	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4492
Target ID:	3
Parent PID:	5844
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	23:52:10
Date:	22/03/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff77f440000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Details

Is windows:	true
Is dropped:	false
PID:	6500
Target ID:	4
Parent PID:	5844
Name:	timeout.exe
Path:	C:\Windows\SysWOW64\timeout.exe
Commandline:	timeout /t 5
Size:	26112
MD5:	121A4EDAE60A7AF6F5DFA82F7BB95659
Time:	23:52:11
Date:	22/03/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3c0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://sughicent.com/blaka.php

5.63.155.126

http://sughicent.com/request

5.63.155.126

https://ac.ecosia.org/autocomplete?q=

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://ocsp.sectigo.com0

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

https://sectigo.com/CPS0D

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

sughicent.com

5.63.155.126

Details

Name:	sughicent.com
IP:	5.63.155.126
TargetID:	0
Current Path:	C:\Users\user\Desktop\b123.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

5.63.155.126

sughicent.com

Russian Federation

Memdumps

Base Address

Regiontype

Protect

Malicious

2070000

direct allocation

page execute and read and write

5DA000

heap

page read and write

211E000

stack

page read and write

20A0000

heap

page read and write

20A8000

heap

page read and write

B9C6BCE000

stack

page read and write

32F0000

heap

page read and write

2A3B845F000

heap

page read and write

9C000

stack

page read and write

F104000

trusted library allocation

page read and write

F4D3000

trusted library allocation

page read and write

4CC0000

heap

page read and write

B9C747E000

stack

page read and write

6097A000

direct allocation

page read and write

FB6C000

stack

page read and write

2A3B8456000

heap

page read and write

2A3B8502000

heap

page read and write

8EA0000

heap

page read and write

60900000

direct allocation

page execute and read and write

8E8F000

stack

page read and write

2F9C000

stack

page read and write

7CF000

stack

page read and write

60980000

direct allocation

page readonly

20B0000

direct allocation

page execute and read and write

919E000

trusted library allocation

page read and write

FB3A000

heap

page read and write

18C000

stack

page read and write

337F000

stack

page read and write

F392000

trusted library allocation

page read and write

109BC000

stack

page read and write

6096F000

direct allocation

page readonly

6096E000

direct allocation

page read and write

333E000

stack

page read and write

198000

stack

page read and write

B9C6E7E000

stack

page read and write

63A000

heap

page read and write

439000

unkown

page execute and read and write

4BE000

stack

page read and write

3407000

heap

page read and write

F2C0000

trusted library allocation

page read and write

2A3B8513000

heap

page read and write

33FF000

stack

page read and write

2A3B8455000

heap

page read and write

2A3B8480000

heap

page read and write

8ACF000

stack

page read and write

400000

unkown

page execute and read and write

F3C0000

trusted library allocation

page read and write

B9C7177000

stack

page read and write

4C0000

heap

page read and write

B9C727E000

stack

page read and write

2A3B8280000

heap

page read and write

8D8E000

stack

page read and write

F330000

trusted library allocation

page read and write

B9C737C000

stack

page read and write

8C4E000

stack

page read and write

2A3B8290000

heap

page read and write

2A3B8402000

heap

page read and write

F39B000

trusted library allocation

page read and write

19E000

stack

page read and write

8C0F000

stack

page read and write

6BD000

heap

page read and write

60901000

direct allocation

page execute read

30000

heap

page read and write

2A3B8426000

heap

page read and write

2A3B8466000

heap

page read and write

401000

unkown

page execute read

8FFA000

stack

page read and write

2A3B848B000

heap

page read and write

89CE000

stack

page read and write

2A3B845B000

heap

page read and write

3400000

heap

page read and write

2220000

unclassified section

page read and write

42F000

unkown

page write copy

10558000

trusted library allocation

page read and write

2A3B843C000

heap

page read and write

623000

heap

page read and write

32D0000

trusted library allocation

page read and write

8EFD000

stack

page read and write

FCB0000

trusted library allocation

page read and write

8D4F000

stack

page read and write

2A3B8413000

heap

page read and write

B9C707B000

stack

page read and write

648000

heap

page read and write

2A3B8500000

heap

page read and write

2A3B8453000

heap

page read and write

905E000

stack

page read and write

6097D000

direct allocation

page read and write

2A3B8429000

heap

page read and write

2A3B8508000

heap

page read and write

FBA0000

heap

page read and write

221F000

stack

page read and write

8CF000

stack

page read and write

108BE000

stack

page read and write

2A3B82F0000

heap

page read and write

2EF0000

heap

page read and write

400000

unkown

page readonly

FB30000

heap

page read and write

6097B000

direct allocation

page readonly

2A3B8C02000

trusted library allocation

page read and write

4C5000

heap

page read and write

6BA000

heap

page read and write

2A3B83F0000

trusted library allocation

page read and write

FCAA000

stack

page read and write

2A3B8400000

heap

page read and write

F38E000

trusted library allocation

page read and write

F9F4000

trusted library allocation

page read and write

2A3B8448000

heap

page read and write

196000

stack

page read and write

433000

unkown

page readonly

9010000

trusted library section

page readonly

B9C6B4B000

stack

page read and write

8B0E000

stack

page read and write

2A3B8461000

heap

page read and write

5D0000

heap

page read and write

10540000

trusted library allocation

page read and write

47E000

stack

page read and write

1F0000

trusted library allocation

page read and write

F4C0000

trusted library allocation

page read and write

33BE000

stack

page read and write

915E000

stack

page read and write

2F5C000

stack

page read and write

There are 111 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
b123.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportb123.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
b123.exe