Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SetupSuite_21.8_win64_86_sm.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.538850993530861
Filename:	SetupSuite_21.8_win64_86_sm.exe
Filesize:	18984288
MD5:	ddda012671f0ca2ca213060073b063e2
SHA1:	462783a60146a405f20bba176c4d5f95bf5f785c
SHA256:	61b02846fae730a5b900745cf6fb113993254268609542a5a00404fe9ca985f2
SHA512:	8d511c809089792ec3d788e04258fe1d3ea91bf128ab4b3688876e62b626b7d11ee305035b480612933c09944b27a842b12cffeb109121c6583794024ab3c867
SSDEEP:	393216:mzJGidgsS3yMvyB4JfQO/DEkf8xzw734BtnSCmlmD:8Ay6xQOgmwnMmD
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE / OLE file has an invalid certificate	System Summary
PE file contains executable resources (Code or Archives)	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\ejhooxmigi

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ejhooxmigi
Category:	dropped
Dump:	ejhooxmigi.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.31138663388361
Encrypted:	false
Ssdeep:	3072:Rv/o4s3raz5clrcWA7JwbxOi6m+T6T0zmujWYQRwUdFUNwt/mGrtItNVLhL:NUG54rmmdv6mjgWY3xKBmGxKNVLhL
Size:	215040
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_a1268644ceb8eaff376c614320123715bd5a50e2_8e15b34f_277283f0-3521-4c94-95e7-18f9e405a0ea\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_a1268644ceb8eaff376c614320123715bd5a50e2_8e15b34f_277283f0-3521-4c94-95e7-18f9e405a0ea\Report.wer
Category:	dropped
Dump:	Report.wer.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.759957133239478
Encrypted:	false
Ssdeep:	96:6GFw58uccgIKW3sAZQCoI7JfdQXIDcQvc6QcEVcw3cE/OUeU3+HbHgS8BRTf3o8E:lQcsz3S0BU/wjmjzuiFSZ24IO8c
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5825.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Apr 30 14:45:21 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5825.tmp.dmp
Category:	dropped
Dump:	WER5825.tmp.dmp.8.dr
ID:	dr_6
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Apr 30 14:45:21 2024, 0x1205a4 type
Entropy:	1.9647422571328395
Encrypted:	false
Ssdeep:	96:5p8SE3cZsIzTamvQOm1svqo2NDtrleawsi79f8WI0iFe6YZ6RwRDlXK7DfxQgkVq:U6As5weabONumZFRuyXdTfGj1H
Size:	39912
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER599D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER599D.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER599D.tmp.WERInternalMetadata.xml.8.dr
ID:	dr_7
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.693417330926189
Encrypted:	false
Ssdeep:	192:R6l7wVeJGp6z+5d+e6YjB6AxxgmfqbCprB89b25sf2ym:R6lXJ46z+dX6Yl6Angmfqb52Sfq
Size:	8340
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER59BE.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER59BE.tmp.xml
Category:	dropped
Dump:	WER59BE.tmp.xml.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.490234156187545
Encrypted:	false
Ssdeep:	48:cvIwWl8zseJg77aI9HsWpW8VYbEYm8M4JygF5+q8EJfTld:uIjfUI7dF7VEJ3/fTld
Size:	4693
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\ef788a7f

PNG image data, 2128 x 867, 8-bit/color RGB, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ef788a7f
Category:	dropped
Dump:	ef788a7f.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
Type:	PNG image data, 2128 x 867, 8-bit/color RGB, non-interlaced
Entropy:	7.99082126674057
Encrypted:	true
Ssdeep:	24576:Qh4aMFvjPAkyr8zVtrQzoRKk7GSuWKtXDqw0KUlMcHK4r:Q2ai9yAzooIgXpKtzqw0JMqr
Size:	1002425
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\eff80ba8

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\eff80ba8
Category:	dropped
Dump:	eff80ba8.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
Type:	data
Entropy:	7.471604962065227
Encrypted:	false
Ssdeep:	12288:FrII/Qc66PzcQkvD2+VYk7HFODf9QQc0v9BoGq5vOjXlKedzB6mXMiKL:JHoc64zc8t8Fk2Qc0v9+rOjXkeFwniKL
Size:	938549
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.8.dr
ID:	dr_5
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.422222645300101
Encrypted:	false
Ssdeep:	6144:sSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNf0uhiTw:XvloTyW+EZMM6DFy503w
Size:	1835008
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe

"C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4444
Target ID:	0
Parent PID:	1028
Name:	SetupSuite_21.8_win64_86_sm.exe
Path:	C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe
Commandline:	"C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe"
Size:	18984288
MD5:	DDDA012671F0CA2CA213060073B063E2
Time:	16:44:49
Date:	30/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5a0000
Modulesize:	19107840
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains executable resources (Code or Archives)	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	3092
Target ID:	2
Parent PID:	4444
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\SysWOW64\cmd.exe
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	16:44:51
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\explorer.exe

Details

Is windows:	true
Is dropped:	false
PID:	1360
Target ID:	5
Parent PID:	3092
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\SysWOW64\explorer.exe
Commandline:	C:\Windows\SysWOW64\explorer.exe
Size:	4514184
MD5:	DD6597597673F72E10C9DE7901FBA0A8
Time:	16:45:11
Date:	30/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xbc0000
Modulesize:	4493312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Launches a second explorer.exe instance	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5892
Target ID:	3
Parent PID:	3092
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:44:51
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460

Details

Is windows:	true
Is dropped:	false
PID:	3504
Target ID:	8
Parent PID:	1360
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	16:45:20
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb20000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://tufure.xyz

http://www.codeplex.com/prism:Microsoft.Practices.Prism.Interactivity.InteractionRequest

unknown

http://DotNetZip.codeplex.com/

unknown

http://www.vmware.com/0

unknown

http://169.254.170.2

unknown

http://scripts.sil.org/OFLRazerF5LightItalic

unknown

http://scripts.sil.org/OFLRazerF5SemiBoldItalic

unknown

https://t.me/sa9okfgshhttps://steamcommunity.com/profiles/76561199658817715sql.dllsqlm.dllMozilla/5.

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://www.razer.com/sw-eula

unknown

http://logging.apache.org/log4net/release/faq.html#trouble-EventLog

unknown

http://www.razerzone.com/synapse

unknown

https://nlog-project.org/

unknown

https://www.newtonsoft.com/json

unknown

https://kinesis.us-gov-west-1.amazonaws.com

unknown

https://twitter.com/intent/follow?screen_name=Razer

unknown

http://169.254.170.2aUnable

unknown

http://scripts.sil.org/OFLRazerF5ThinItalic

unknown

http://razer.com/software

unknown

http://www.openssl.org/support/faq.html

unknown

https://steamcommunity.com/profiles/76561199658817715

http://www.codeplex.com/prism

unknown

http://www.codeplex.com/CompositeWPF

unknown

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://compositewpf.codeplex.com/

unknown

http://nlog-project.org/dummynamespace/

unknown

http://www.2brightsparks.com/foc/foc-v-check.txt

unknown

http://www.2brightsparks.com/onclick/index.html

unknown

http://scripts.sil.org/OFLCopyright

unknown

https://ip-ranges.amazonaws.com/ip-ranges.json

unknown

http://scripts.sil.org/OFLRazerF5Thin

unknown

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

unknown

http://scripts.sil.org/OFLRazerF5SemiBold

unknown

http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-gamebooster-us

unknown

http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html

unknown

https://github.com/NLog/NLog.git

unknown

http://schemas.datacontract.org/2004/07/Razer.ActionService

unknown

https://kinesis.us-gov-east-1.amazonaws.com

unknown

http://ocsp.thawte.com0

unknown

https://discovery.razerapi.com:https://manifest.razerapi.com

unknown

http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-comms-usp.png

unknown

https://albedozero-staging.razerapi.com/password

unknown

http://www.vmware.com/0/

unknown

http://www.razerzone.com/surround

unknown

https://steamcommunity.com/profiles/76561199658817715fgshMozilla/5.0

unknown

http://upx.sf.net

unknown

http://www.symauth.com/cps0(

unknown

https://www.nuget.org/packages/NLog.Web.AspNetCore

unknown

https://tufure.xyzCristina

unknown

http://james.newtonking.com/projects/json

unknown

http://www.razerzone.com

unknown

https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedo

unknown

https://t.me/sa9ok

unknown

http://scripts.sil.org/OFLRazerF5Light

unknown

http://www.2brightsparks.com/onclick/help/

unknown

http://www.razerzone.com/comms

unknown

http://www.symauth.com/rpa00

unknown

https://www.newtonsoft.com/jsonschema

unknown

http://www.apache.org/licenses/LICENSE-2.0Roboto

unknown

https://insider.razer.com

unknown

http://www.info-zip.org/

unknown

http://www.codeplex.com/DotNetZip

unknown

https://u05srooyhc.execute-api.us-east-1.amazonaws.com/sts

unknown

https://www.nuget.org/packages/Newtonsoft.Json.Bson

unknown

http://www.razerzone.com/cortex

unknown

http://scripts.sil.org/OFL

unknown

http://assets.razerzone.com/eeimages/products/17531/940x573-01-02.png

unknown

http://169.254.169.254

unknown

https://ec.razer.com

unknown

There are 61 hidden URLs, click here to show them.