Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xOg18pHQGOQK.exe

"C:\Users\user\Desktop\xOg18pHQGOQK.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7444
Target ID:	0
Parent PID:	2580
Name:	xOg18pHQGOQK.exe
Path:	C:\Users\user\Desktop\xOg18pHQGOQK.exe
Commandline:	"C:\Users\user\Desktop\xOg18pHQGOQK.exe"
Size:	32768
MD5:	7C56A11493F60539D27F4DC5E6F887E3
Time:	15:20:53
Date:	29/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

sendfiletiahforem.duckdns.org

Details

Name:	sendfiletiahforem.duckdns.org
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xOg18pHQGOQK.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://go.microsoft.

unknown

http://go.microsoft.LinkId=42127

unknown

Details

Name:	http://go.microsoft.LinkId=42127
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\xOg18pHQGOQK.exe
Source:	xOg18pHQGOQK.exe, 00000000.00000002.4103935908.000000000090F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

sendfiletiahforem.duckdns.org

85.60.29.68

Details

Name:	sendfiletiahforem.duckdns.org
IP:	85.60.29.68
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

85.60.29.68

sendfiletiahforem.duckdns.org

Spain

Details

IP:	85.60.29.68
TargetID:	0
Current Path:	C:\Users\user\Desktop\xOg18pHQGOQK.exe
Country:	Spain
Countrycode:	ESP
ASN number:	12479
ASN name:	UNI2-ASES
Private:	false
Domain:	sendfiletiahforem.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\SOFTWARE\1d3f999c897

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

1D2000

unkown

page readonly

AC2000

trusted library allocation

page execute and read and write

90F000

heap

page read and write

4A8C000

stack

page read and write

4ACC000

stack

page read and write

B4E000

stack

page read and write

5C0000

heap

page read and write

4B90000

unclassified section

page read and write

4A30000

trusted library allocation

page read and write

566000

stack

page read and write

90C000

heap

page read and write

4B10000

trusted library allocation

page read and write

2771000

trusted library allocation

page read and write

840000

heap

page execute and read and write

B80000

heap

page read and write

81F000

stack

page read and write

494E000

stack

page read and write

B07000

trusted library allocation

page execute and read and write

1D8000

unkown

page readonly

4B80000

trusted library allocation

page execute and read and write

242E000

stack

page read and write

4970000

trusted library allocation

page read and write

AFA000

trusted library allocation

page execute and read and write

8AE000

heap

page read and write

B60000

heap

page read and write

710000

heap

page read and write

715000

heap

page read and write

AD7000

trusted library allocation

page execute and read and write

860000

heap

page read and write

2774000

trusted library allocation

page read and write

8AA000

heap

page read and write

4980000

trusted library allocation

page execute and read and write

569000

stack

page read and write

AE0000

heap

page read and write

ACA000

trusted library allocation

page execute and read and write

8E0000

heap

page read and write

8A0000

heap

page read and write

469000

stack

page read and write

ABA000

trusted library allocation

page execute and read and write

850000

heap

page read and write

AC0000

trusted library allocation

page read and write

AB2000

trusted library allocation

page execute and read and write

AF2000

trusted library allocation

page execute and read and write

6EE000

stack

page read and write

4A40000

heap

page read and write

4778000

trusted library allocation

page read and write

ADA000

trusted library allocation

page execute and read and write

B0B000

trusted library allocation

page execute and read and write

3771000

trusted library allocation

page read and write

AA4000

trusted library allocation

page read and write

1D0000

unkown

page readonly

B02000

trusted library allocation

page read and write

4A2D000

stack

page read and write

AA0000

trusted library allocation

page read and write

484E000

stack

page read and write

6A0000

heap

page read and write

ACC000

trusted library allocation

page execute and read and write

29FB000

trusted library allocation

page read and write

27C1000

trusted library allocation

page read and write

4B09000

stack

page read and write

There are 50 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xOg18pHQGOQK.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxOg18pHQGOQK.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xOg18pHQGOQK.exe