Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\server.exe

Details

Is windows:	false
Is dropped:	false
PID:	3396
Target ID:	0
Parent PID:	3324
Name:	server.exe
Path:	C:\Users\user\Desktop\server.exe
Commandline:	C:\Users\user\Desktop\server.exe
Size:	239104
MD5:	0A7EFDF643E54621FE9B9E5A29C06FAF
Time:	09:25:01
Date:	14/03/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	757760
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

http://62.173.142.51/drew/LtSfNQUl38_2FDY/ZDiSMzVFZT8P12cRCR/wFifr57eD/E3QMnm3R09oCMKEqF_2B/hL6JR5JZ5RzfthDXDEL/QXKRNOEf5KUe4lOcOOnAWe/S7o7DbUVctcaA/rpMZ8DLG/JY7e7d4k8lkZ3XBI4AKdEOg/JVfUtdkUf4/lNi_2BCjIiDW9oaJC/JQY6K3BrLDok/oxD2Jl0W61e/9srw8Wtoy2vC2X/zMM4BIJQlabgMVrliSBbF/6bQOsnbMJ830WmQE/8fSuWxKUlXv_2FI/uixxrgswLUL3BF62nt/g_2FwBw.jlk

62.173.142.51

Details

Name:	http://62.173.142.51/drew/LtSfNQUl38_2FDY/ZDiSMzVFZT8P12cRCR/wFifr57eD/E3QMnm3R09oCMKEqF_2B/hL6JR5JZ5RzfthDXDEL/QXKRNOEf5KUe4lOcOOnAWe/S7o7DbUVctcaA/rpMZ8DLG/JY7e7d4k8lkZ3XBI4AKdEOg/JVfUtdkUf4/lNi_2BCjIiDW9oaJC/JQY6K3BrLDok/oxD2Jl0W61e/9srw8Wtoy2vC2X/zMM4BIJQlabgMVrliSBbF/6bQOsnbMJ830WmQE/8fSuWxKUlXv_2FI/uixxrgswLUL3BF62nt/g_2FwBw.jlk
IP:	62.173.142.51
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

http://94.103.183.153/drew/45gwNn56tT_2B9DMppZLO6W/TY9yvuDrMO/NH6qQboGYLppgh3VY/fD0WTQxe_2Fc/8f_2F5pvK0k/5pc3M5q5_2FYt3/4jI4o0hOzWp0EtrTpDvY_/2BQflNotHm9IIPtO/mq9Dn1qgGdHgrmy/Xs1KDbSG454LVnULzq/seDw5rP1a/cxTqaNB2y_2FVHNjeaDU/t9me_2FSk8oJCJKH9Zx/OgVVwZaLyIQ6GcJMvVJZLX/3Iqej_2B4U8Se/qkLHdDp4/xkbU42A8qDuBydy0uePKn7_/2FGqiSuVoF/gyerokGYzhvdYj/f.jlk

94.103.183.153

Details

Name:	http://94.103.183.153/drew/45gwNn56tT_2B9DMppZLO6W/TY9yvuDrMO/NH6qQboGYLppgh3VY/fD0WTQxe_2Fc/8f_2F5pvK0k/5pc3M5q5_2FYt3/4jI4o0hOzWp0EtrTpDvY_/2BQflNotHm9IIPtO/mq9Dn1qgGdHgrmy/Xs1KDbSG454LVnULzq/seDw5rP1a/cxTqaNB2y_2FVHNjeaDU/t9me_2FSk8oJCJKH9Zx/OgVVwZaLyIQ6GcJMvVJZLX/3Iqej_2B4U8Se/qkLHdDp4/xkbU42A8qDuBydy0uePKn7_/2FGqiSuVoF/gyerokGYzhvdYj/f.jlk
IP:	94.103.183.153
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

http://94.103

unknown

Details

Name:	http://94.103
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\server.exe
Source:	server.exe, 00000000.00000002.565488240.000000000233C000.00000004.00000010.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

checklist.skype.com

unknown

Details

Name:	checklist.skype.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

62.173.142.51

unknown

Russian Federation

Details

IP:	62.173.142.51
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	34300
ASN name:	SPACENET-ASInternetServiceProviderRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

94.103.183.153

unknown

Russian Federation

Details

IP:	94.103.183.153
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	197390
ASN name:	RATELE-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

Memdumps

Base Address

Regiontype

Protect

Malicious

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

2E28000

heap

page read and write

21F0000

heap

page read and write

60A000

heap

page read and write

21EE000

stack

page read and write

403000

unkown

page execute and read and write

2E2B000

heap

page read and write

19C000

stack

page read and write

682000

heap

page read and write

377F000

stack

page read and write

2A30000

heap

page read and write

68B000

heap

page read and write

337F000

stack

page read and write

2230000

heap

page read and write

42C000

unkown

page read and write

600000

heap

page read and write

357A000

stack

page read and write

550000

direct allocation

page execute and read and write

9D000

stack

page read and write

23AE000

stack

page read and write

57A000

unclassified section

page read and write

41A000

unkown

page write copy

2E2B000

heap

page read and write

401000

unkown

page execute read

405000

unkown

page execute and read and write

57C000

unclassified section

page readonly

233C000

stack

page read and write

4AB000

unkown

page readonly

2480000

heap

page read and write

367F000

stack

page read and write

29CE000

stack

page read and write

4A9000

unkown

page read and write

400000

unkown

page execute and read and write

2878000

heap

page read and write

675000

heap

page read and write

41A000

unkown

page write copy

682000

heap

page read and write

21AE000

stack

page read and write

27F9000

heap

page read and write

245D000

stack

page read and write

5CC000

stack

page read and write

571000

unclassified section

page execute read

675000

heap

page read and write

560000

direct allocation

page read and write

30000

heap

page read and write

570000

unclassified section

page read and write

40F000

unkown

page execute read

2E2B000

heap

page read and write

407000

unkown

page execute and read and write

579000

unclassified section

page readonly

327F000

stack

page read and write

347C000

stack

page read and write

2360000

heap

page read and write

620000

heap

page execute and read and write

633000

heap

page read and write

23EE000

stack

page read and write

298F000

stack

page read and write

2410000

heap

page read and write

66A000

heap

page read and write

4AB000

unkown

page readonly

580000

heap

page read and write

400000

unkown

page readonly

686000

heap

page read and write

1F0000

heap

page read and write

2A0E000

stack

page read and write

There are 62 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
server.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportserver.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
server.exe