Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

pYJeC4VJbw.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\AAEGHJKJ

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\AIXACVYBSB.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\AIXACVYBSB.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\CBKJEGCBKKJECBGCGDBAKJEBAA

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

C:\ProgramData\DTBZGIOOSO.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\GIJKKKFC

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\HIIIDAKKJJJKKECAKKJE

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\IDAKJKEHDBGHIDHIEHDBAAFHJK

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\JDBFIIEBGCAKKEBFBAAF

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\JDGCGHCGHCBFHJJKKJEHJEHJEH

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KATAXZVCPS.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NHPKIZUUSG.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\VLZDGUKUTZ.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\XZXHAVGRAG.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\XZXHAVGRAG.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

data

dropped

There are 20 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\pYJeC4VJbw.exe

"C:\Users\user\Desktop\pYJeC4VJbw.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6936
Target ID:	0
Parent PID:	2580
Name:	pYJeC4VJbw.exe
Path:	C:\Users\user\Desktop\pYJeC4VJbw.exe
Commandline:	"C:\Users\user\Desktop\pYJeC4VJbw.exe"
Size:	358400
MD5:	14C3DB1BDBA407C23F0E80BBFDD6DB0F
Time:	11:19:53
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	40980480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll

168.119.248.46

https://duckduckgo.com/chrome_newtab

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

https://duckduckgo.com/ac/?q=

unknown

https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJK

unknown

https://shaffatta.com/D

unknown

https://shaffatta.com/fdca69ae739b4897.php

168.119.248.46

https://shaffatta.com/

unknown

https://shaffatta.com/fdca69ae739b4897.php4r#

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll

168.119.248.46

https://shaffatta.com/fdca69ae739b4897.php-

unknown

https://shaffatta.com/ost:

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllY

unknown

https://shaffatta.com/8s/

unknown

https://shaffatta.com/fdca69ae739b4897.php&

unknown

https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK

unknown

https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaY

unknown

https://shaffatta.com/)

unknown

https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll8

unknown

https://shaffatta.com/32e011d2eaa85a0/nss3.dllc

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://shaffatta.com/1

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe

unknown

https://shaffatta.com/5

unknown

https://shaffatta.com/fdca69ae739b4897.php7s&

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe

unknown

https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)

unknown

https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllx

unknown

https://shaffatta.com/fdca69ae739b4897.phpUs

unknown

http://www.sqlite.org/copyright.html.

unknown

https://shaffatta.com/d32e011d2eaa85a0/nss3.dll

168.119.248.46

https://cdn.epnacl

unknown

https://shaffatta.com/fdca69ae739b4897.php8s/

unknown

https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllH

unknown

https://shaffatta.com/fdca69ae739b4897.phpa

unknown

https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll

168.119.248.46

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://shaffatta.com/fdca69ae739b4897.phpys

unknown

https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllF

unknown

https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEH

unknown

https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll

168.119.248.46

https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll

168.119.248.46

https://shaffatta.com/ozglue.dll

unknown

https://shaffatta.com/fdca69ae739b4897.phption:

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://shaffatta.com/es

unknown

https://www.ecosia.org/newtab/

unknown

https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/

unknown

https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll

unknown

https://shaffatta.com/fdca69ae739b4897.phpi

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://cdn.ep

unknown

https://shaffatta.com/Hs

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://shaffatta.com

unknown

https://shaffatta.com/c

unknown

https://shaffatta.com/fatta.com/

unknown

https://shaffatta.com/amData

unknown

https://shaffatta.com/3r:

unknown

https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll

168.119.248.46

https://shaffatta.com/32e011d2eaa85a0/nss3.dll

unknown

https://shaffatta.com/d32e011d2eaa85a0/nss3.dllp

unknown

https://shaffatta.com/fdca69ae739b4897.phpGs

unknown

https://support.mozilla.org

unknown

https://shaffatta.com/d32e011d2eaa85a0/nss3.dlln

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://shaffatta.com/fdca69ae739b4897.phpCoinomi

unknown

https://shaffatta.comC

unknown

There are 64 hidden URLs, click here to show them.

Domains

Name

Malicious

shaffatta.com

168.119.248.46

Details

Name:	shaffatta.com
IP:	168.119.248.46
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

168.119.248.46

shaffatta.com

Germany

Details

IP:	168.119.248.46
TargetID:	0
Current Path:	C:\Users\user\Desktop\pYJeC4VJbw.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	shaffatta.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2C80000

direct allocation

page execute and read and write

2CC0000

direct allocation

page read and write

400000

unkown

page execute and read and write

2DD5000

heap

page read and write

234A0000

heap

page read and write

2BF0000

heap

page read and write

234A0000

heap

page read and write

6D210000

unkown

page read and write

1CEDE000

stack

page read and write

2349D000

heap

page read and write

61EB4000

direct allocation

page read and write

624000

unkown

page execute and read and write

1CE9D000

stack

page read and write

448000

unkown

page execute and read and write

298F4000

heap

page read and write

549000

unkown

page execute and read and write

1D4F0000

heap

page read and write

30A0000

heap

page read and write

1D49B000

heap

page read and write

2C47000

heap

page read and write

2E3E000

heap

page read and write

29909000

heap

page read and write

234BE000

heap

page read and write

2CB0000

heap

page read and write

23494000

heap

page read and write

234B3000

heap

page read and write

29510000

heap

page read and write

1CC1F000

stack

page read and write

234A0000

heap

page read and write

234A0000

heap

page read and write

23498000

heap

page read and write

234A0000

heap

page read and write

1D02E000

stack

page read and write

2CFE000

stack

page read and write

234B1000

heap

page read and write

1D4A8000

heap

page read and write

23496000

heap

page read and write

40C000

unkown

page readonly

2FEE000

stack

page read and write

234BC000

heap

page read and write

19C000

stack

page read and write

23499000

heap

page read and write

1D311000

heap

page read and write

2349E000

heap

page read and write

9C000

stack

page read and write

2D97000

heap

page execute and read and write

2985F000

stack

page read and write

234AF000

heap

page read and write

234A0000

heap

page read and write

2E09000

heap

page read and write

1D190000

remote allocation

page read and write

2E31000

heap

page read and write

61ECD000

direct allocation

page readonly

6D00D000

unkown

page readonly

1CD9E000

stack

page read and write

1D300000

heap

page read and write

234A0000

heap

page read and write

306E000

stack

page read and write

1D12E000

stack

page read and write

234B1000

heap

page read and write

2E7A000

heap

page read and write

1D508000

heap

page read and write

636000

unkown

page execute and read and write

234A0000

heap

page read and write

195000

stack

page read and write

29520000

heap

page read and write

6D030000

unkown

page readonly

23487000

heap

page read and write

401000

unkown

page execute read

234B1000

heap

page read and write

6D031000

unkown

page execute read

2EE0000

heap

page read and write

1CFDE000

stack

page read and write

1D2CF000

stack

page read and write

1C5DF000

stack

page read and write

6D1CF000

unkown

page readonly

1F0000

heap

page read and write

2D3E000

stack

page read and write

2D80000

heap

page read and write

2C70000

heap

page read and write

23493000

heap

page read and write

234A0000

heap

page read and write

2C14000

direct allocation

page execute and read and write

1D495000

heap

page read and write

1D310000

heap

page read and write

2C00000

direct allocation

page execute and read and write

61ED3000

direct allocation

page read and write

23487000

heap

page read and write

1D1CE000

stack

page read and write

2349E000

heap

page read and write

41A000

unkown

page readonly

6D20F000

unkown

page write copy

1D498000

heap

page read and write

23486000

heap

page read and write

400000

unkown

page readonly

234B9000

heap

page read and write

1CD5F000

stack

page read and write

234AD000

heap

page read and write

6D215000

unkown

page readonly

2975E000

stack

page read and write

1D190000

remote allocation

page read and write

23496000

heap

page read and write

234B1000

heap

page read and write

23496000

heap

page read and write

2E80000

heap

page read and write

23496000

heap

page read and write

6D20E000

unkown

page read and write

2AFC000

unkown

page readonly

234A0000

heap

page read and write

43E000

unkown

page write copy

234BF000

heap

page read and write

2EEB000

heap

page read and write

2C63000

direct allocation

page read and write

2349A000

heap

page read and write

234A0000

heap

page read and write

2DC0000

heap

page execute and read and write

1D4FF000

heap

page read and write

234BF000

heap

page read and write

234A0000

heap

page read and write

23486000

heap

page read and write

2C7C000

direct allocation

page read and write

2E7D000

heap

page read and write

1CC5E000

stack

page read and write

1CB1F000

stack

page read and write

44B000

unkown

page execute and read and write

2DBB000

heap

page read and write

6CF90000

unkown

page readonly

6D01E000

unkown

page read and write

2C50000

direct allocation

page read and write

2951C000

heap

page read and write

2E7D000

heap

page read and write

23496000

heap

page read and write

23496000

heap

page read and write

1CA1F000

stack

page read and write

6CF91000

unkown

page execute read

23493000

heap

page read and write

234B1000

heap

page read and write

234B3000

heap

page read and write

1D190000

remote allocation

page read and write

6D022000

unkown

page readonly

2E26000

heap

page read and write

2E38000

heap

page read and write

1D48F000

heap

page read and write

234B2000

heap

page read and write

23586000

heap

page read and write

29901000

heap

page read and write

2E3E000

heap

page read and write

23499000

heap

page read and write

2AFC000

unkown

page readonly

2349C000

heap

page read and write

2EDE000

stack

page read and write

1D410000

heap

page read and write

61ECC000

direct allocation

page read and write

2AE9000

unkown

page execute and read and write

61ED4000

direct allocation

page readonly

2C40000

heap

page read and write

234A0000

heap

page read and write

1D410000

trusted library allocation

page read and write

302E000

stack

page read and write

61E01000

direct allocation

page execute read

61E00000

direct allocation

page execute and read and write

1D511000

heap

page read and write

234A0000

heap

page read and write

234B1000

heap

page read and write

234BF000

heap

page read and write

234B1000

heap

page read and write

23499000

heap

page read and write

234B1000

heap

page read and write

234A0000

heap

page read and write

61ED0000

direct allocation

page read and write

234B9000

heap

page read and write

23493000

heap

page read and write

23496000

heap

page read and write

1D4A1000

heap

page read and write

234A0000

heap

page read and write

234BE000

heap

page read and write

2349C000

heap

page read and write

234B2000

heap

page read and write

2C45000

heap

page read and write

2D8A000

heap

page read and write

61EB7000

direct allocation

page readonly

2D8E000

heap

page read and write

234BF000

heap

page read and write

234BE000

heap

page read and write

There are 174 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
pYJeC4VJbw.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportpYJeC4VJbw.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
pYJeC4VJbw.exe