Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Outstanding Balance.exe

"C:\Users\user\Desktop\Outstanding Balance.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6512
Target ID:	0
Parent PID:	4624
Name:	Outstanding Balance.exe
Path:	C:\Users\user\Desktop\Outstanding Balance.exe
Commandline:	"C:\Users\user\Desktop\Outstanding Balance.exe"
Size:	693760
MD5:	EDDB51444437EBE5E42164DD30EA5759
Time:	12:42:06
Date:	14/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe50000
Modulesize:	712704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe

Details

Is windows:	true
Is dropped:	false
PID:	6900
Target ID:	4
Parent PID:	6512
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe
Size:	430592
MD5:	DBA3E6449E97D4E3DF64527EF7012A10
Time:	12:42:18
Date:	14/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1230000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBKXRefcPdWgIF" /XML "C:\Users\user\AppData\Local\Temp\tmp2F3E.tmp

Details

Is windows:	true
Is dropped:	false
PID:	6916
Target ID:	6
Parent PID:	6512
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBKXRefcPdWgIF" /XML "C:\Users\user\AppData\Local\Temp\tmp2F3E.tmp
Size:	185856
MD5:	15FF7D8324231381BAD48A052F85DF04
Time:	12:42:19
Date:	14/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x280000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\Outstanding Balance.exe

Details

Is windows:	false
Is dropped:	false
PID:	7068
Target ID:	8
Parent PID:	6512
Name:	Outstanding Balance.exe
Path:	C:\Users\user\Desktop\Outstanding Balance.exe
Commandline:	C:\Users\user\Desktop\Outstanding Balance.exe
Size:	693760
MD5:	EDDB51444437EBE5E42164DD30EA5759
Time:	12:42:23
Date:	14/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x870000
Modulesize:	712704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6908
Target ID:	5
Parent PID:	6900
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	12:42:19
Date:	14/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c9170000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7012
Target ID:	7
Parent PID:	6916
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	12:42:20
Date:	14/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c9170000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://rPudMB.com

unknown

http://127.0.0.1:HTTP/1.1

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://certs.starfieldtech.com/repository/0

unknown

http://certificates.starfieldtech.com/repository/0

unknown

http://www.fontbureau.com/designers?

unknown

http://certs.starfieldtech.com/repository/1402

unknown

http://crl.starfieldtech.com/sfroot-g2.crl0L

unknown

http://a2plcpnl0484.prod.iad2.secureserver.net

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

unknown

http://crl.starfieldtech.com/sfig2s1-387.crl0c

unknown

http://www.tiro.com

unknown

http://ocsp.starfieldtech.com/0;

unknown

http://www.fontbureau.com/designers

unknown

https://api.ipify.org%%startupfolder%

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://ocsp.starfieldtech.com/0F

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.fontbureau.comas

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://fontfabrik.com

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-jones.html

unknown

http://www.fontbureau.comm

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://DynDns.comDynDNSnamejidpasswordPsi/Psi

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

https://SjVl8ze1qIuT.com

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://certificates.starfieldtech.com/repository/sfig2.crt0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

https://api.ipify.org%

unknown

There are 35 hidden URLs, click here to show them.

Domains

Name

Malicious

a2plcpnl0484.prod.iad2.secureserver.net

198.71.236.16

Details

Name:	a2plcpnl0484.prod.iad2.secureserver.net
IP:	198.71.236.16
TargetID:	8
Current Path:	C:\Users\user\Desktop\Outstanding Balance.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

198.71.236.16

a2plcpnl0484.prod.iad2.secureserver.net

United States

Details

IP:	198.71.236.16
TargetID:	8
Current Path:	C:\Users\user\Desktop\Outstanding Balance.exe
Country:	United States
Countrycode:	USA
ASN number:	26496
ASN name:	AS-26496-GO-DADDY-COM-LLCUS
Private:	false
Domain:	a2plcpnl0484.prod.iad2.secureserver.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

31D1000

trusted library allocation

page read and write

Details

Name:	00000000.00000002.282083109.00000000031D1000.00000004.00000800.00020000.00000000.sdmp
TargetID:	0
Dumpstage:	process exit
Regiontype:	trusted library allocation
Protect:	page read and write
Base address:	31D1000
Size:	2330624

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

2BF1000

trusted library allocation

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Outstanding Balance.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOutstanding Balance.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Outstanding Balance.exe