Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MACHINE SPECIFICATIONS.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.979738488629949
Filename:	MACHINE SPECIFICATIONS.exe
Filesize:	523776
MD5:	92945d0a2731ef771ea9d10c792e03e1
SHA1:	1eeef600b7b51ce7aa93e825be55b40f3ef8e319
SHA256:	46b61250c34b38d26ac5897217e6b70a222ff16318161c4e67c74c74491cc612
SHA512:	33ff6835de8b3a4a0002669deb68acf14a770e7546c2250eb6cdcde2ad4841891f504faa77427e864d1b7758481864189039beb8ec9d926f5804bd7da30a5fb2
SSDEEP:	12288:BxNQOgJk4hl4vPE1suvqvku873X9BsILNILZoRPzre:BxNi6MlzX9BsILNILZoFre
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$..c.........."...0......B........... ....@...... .......................@............`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log
Category:	dropped
Dump:	MACHINE SPECIFICATIONS.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Type:	CSV text
Entropy:	5.374391981354885
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
Size:	654
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Category:	dropped
Dump:	newapp.exe.10.dr
ID:	dr_1
Target ID:	10
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.882571203162287
Encrypted:	false
Ssdeep:	1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
Size:	107624
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log
Category:	modified
Dump:	newapp.exe.log.11.dr
ID:	dr_3
Target ID:	11
Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.13.dr
ID:	dr_4
Target ID:	13
Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.064987733454706
Encrypted:	false
Ssdeep:	12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
Size:	486
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Details

Is windows:	false
Is dropped:	false
PID:	6128
Target ID:	0
Parent PID:	3452
Name:	MACHINE SPECIFICATIONS.exe
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Commandline:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Size:	523776
MD5:	92945D0A2731EF771EA9D10C792E03E1
Time:	11:18:56
Date:	29/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x19218000000
Modulesize:	540672
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Details

Is windows:	true
Is dropped:	false
PID:	688
Target ID:	10
Parent PID:	6128
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	11:19:46
Date:	29/11/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

"C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4272
Target ID:	11
Parent PID:	3452
Name:	newapp.exe
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	11:20:05
Date:	29/11/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x800000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

"C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	676
Target ID:	13
Parent PID:	3452
Name:	newapp.exe
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	11:20:13
Date:	29/11/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x490000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4764
Target ID:	12
Parent PID:	4272
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	11:20:05
Date:	29/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6132
Target ID:	14
Parent PID:	676
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	11:20:14
Date:	29/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

3.220.57.224

http://127.0.0.1:HTTP/1.1

unknown

https://api.ipify.org

unknown

https://eyUBHCqVhczCNfHAY6U.org

unknown

http://xgrPBN.com

unknown

http://ftp.electrobist.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.ipify.orgftp://ftp.electrobist.comuser1

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

unknown

http://DynDns.comDynDNSnamejidpasswordPsi/Psi

unknown

Domains

Name

Malicious

ftp.electrobist.com

51.195.62.160

Details

Name:	ftp.electrobist.com
IP:	51.195.62.160
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

api.ipify.org.herokudns.com

3.220.57.224

c-0001.c-msedge.net

13.107.4.50

api.ipify.org

unknown

Details

Name:	api.ipify.org
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

51.195.62.160

ftp.electrobist.com

France

Details

IP:	51.195.62.160
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	France
Countrycode:	FRA
ASN number:	16276
ASN name:	OVHFR
Private:	false
Domain:	ftp.electrobist.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

192.168.2.1

unknown

3.220.57.224

api.ipify.org.herokudns.com

United States

Details

IP:	3.220.57.224
TargetID:	10
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	14618
ASN name:	AMAZON-AESUS
Private:	false
Domain:	api.ipify.org.herokudns.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CasPol_RASAPI32

FileDirectory