Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

oTIHRjz4dn.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.50748341818255
Filename:	oTIHRjz4dn.exe
Filesize:	442880
MD5:	cc9b99cbe81eb73c242aee7507b24206
SHA1:	b237cbe8a53534b73f1624213fded9fd67258e37
SHA256:	8939a6a2ab0924c21b0ee812340da080dccd3396b5a698f06740aa2f49ff9bf7
SHA512:	a92c4f1b6874fa36dc8c10e49bf80ba8841d66beaf3300912ebaae9895860773cfcb98ebd26868b4a8ae8e9df69076670f0ce906a4eab0e644163b0c09e676f6
SSDEEP:	12288:OcqgYuFxzYN2VBeEezy5ByqupeEct07KQUu:7qgYuFtk0myOn7yu
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses 32bit PE files	Compliance, System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates mutexes	System Summary
Creates temporary files	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\246122658369

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\246122658369
Category:	dropped
Dump:	246122658369.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\oTIHRjz4dn.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Entropy:	7.84798100930978
Encrypted:	false
Ssdeep:	1536:CwjF/xd+V0kEoc/IpEheootMoFPRCMdJ5PahBaluFZngbzlPNsI8DDDOVbdo/M7:Hh/xcikEocHhe/yMdHRuFZnozdWPDDDY
Size:	84893
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\oTIHRjz4dn.exe

"C:\Users\user\Desktop\oTIHRjz4dn.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6952
Target ID:	0
Parent PID:	2580
Name:	oTIHRjz4dn.exe
Path:	C:\Users\user\Desktop\oTIHRjz4dn.exe
Commandline:	"C:\Users\user\Desktop\oTIHRjz4dn.exe"
Size:	442880
MD5:	CC9B99CBE81EB73C242AEE7507B24206
Time:	18:51:57
Date:	27/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x800000
Modulesize:	466944
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1

45.156.23.149

greatnessappreviews.com/8BvxwQdec3/index.php

http://greatnessappreviews.com/8BvxwQdec3/index.php

45.156.23.149

http://greatnessappreviews.com/8BvxwQdec3/index.phpO

unknown

http://greatnessappreviews.com/

unknown

http://greatnessappreviews.com/8BvxwQdec3/index.phpQ

unknown

http://greatnessappreviews.com/8BvxwQdec3/index.php5

unknown

http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1N8

unknown

http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1n8

unknown

http://greatnessappreviews.com/8BvxwQdec3/index.phpny

unknown

Domains

Name

Malicious

greatnessappreviews.com

45.156.23.149

Details

Name:	greatnessappreviews.com
IP:	45.156.23.149
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

rtattack.xycydau0.fun

unknown

IPs

Domain

Country

Malicious

45.156.23.149

greatnessappreviews.com

Russian Federation

Details

IP:	45.156.23.149
TargetID:	0
Current Path:	C:\Users\user\Desktop\oTIHRjz4dn.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	56971
ASN name:	CLOUDBACKBONERU
Private:	false
Domain:	greatnessappreviews.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

45.129.199.237

unknown

Russian Federation

Details

IP:	45.129.199.237
TargetID:	0
Current Path:	C:\Users\user\Desktop\oTIHRjz4dn.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	201971
ASN name:	CREEPERHOSTLTD-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

801000

unkown

page execute read

153A000

heap

page read and write

3730000

heap

page read and write

3B7A000

heap

page read and write

3B80000

heap

page read and write

14C0000

heap

page read and write

12FD000

heap

page read and write

4C97000

heap

page read and write

3B80000

heap

page read and write

1660000

heap

page read and write

3B80000

heap

page read and write

14CA000

heap

page read and write

35C0000

heap

page read and write

12E4000

heap

page read and write

4794000

heap

page read and write

12CB000

heap

page read and write

12F2000

heap

page read and write

164A000

heap

page read and write

3B9A000

heap

page read and write

3B8A000

heap

page read and write

1640000

heap

page read and write

865000

unkown

page write copy

3B9A000

heap

page read and write

4C98000

heap

page read and write

86A000

unkown

page readonly

12E4000

heap

page read and write

132A000

heap

page read and write

4C9D000

heap

page read and write

14D0000

heap

page read and write

14DA000

heap

page read and write

166A000

heap

page read and write

3BB0000

heap

page read and write

4C9E000

heap

page read and write

3BC0000

heap

page read and write

4C92000

heap

page read and write

12F2000

heap

page read and write

16E0000

heap

page read and write

1327000

heap

page read and write

1540000

heap

page read and write

12FD000

heap

page read and write

4C91000

heap

page read and write

17B0000

heap

page read and write

4C96000

heap

page read and write

4C92000

heap

page read and write

15CA000

heap

page read and write

1310000

heap

page read and write

173A000

heap

page read and write

3B2A000

heap

page read and write

12DB000

heap

page read and write

14B0000

heap

page read and write

3B8A000

heap

page read and write

3BD0000

heap

page read and write

4C97000

heap

page read and write

1530000

heap

page read and write

3B8A000

heap

page read and write

4C9D000

heap

page read and write

3B20000

heap

page read and write

4C9A000

heap

page read and write

12D3000

heap

page read and write

35CA000

heap

page read and write

4793000

heap

page read and write

3B70000

heap

page read and write

3B90000

heap

page read and write

4C9A000

heap

page read and write

154A000

heap

page read and write

4C92000

heap

page read and write

4C9B000

heap

page read and write

15C0000

heap

page read and write

4C99000

heap

page read and write

1326000

heap

page read and write

4C9A000

heap

page read and write

4C96000

heap

page read and write

4C99000

heap

page read and write

4C9E000

heap

page read and write

14BA000

heap

page read and write

3B90000

heap

page read and write

17BA000

heap

page read and write

1730000

heap

page read and write

4C94000

heap

page read and write

800000

unkown

page readonly

3BBA000

heap

page read and write

12DF000

heap

page read and write

4C96000

heap

page read and write

3230000

heap

page read and write

373A000

heap

page read and write

1310000

heap

page read and write

3BCA000

heap

page read and write

4C97000

heap

page read and write

4C98000

heap

page read and write

852000

unkown

page readonly

1317000

heap

page read and write

3BDA000

heap

page read and write

323A000

heap

page read and write

1530000

heap

page read and write

4C96000

heap

page read and write

131A000

heap

page read and write

153A000

heap

page read and write

870000

unkown

page write copy

16EA000

heap

page read and write

There are 89 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
oTIHRjz4dn.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportoTIHRjz4dn.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
oTIHRjz4dn.exe