Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

t13pv4ox18.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\AECAECFCAAEBFHIEHDGH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\AECAECFCAAEBFHIEHDGHDHCBAK

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\AQRFEVRTGL.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\ATJBEMHSSB.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\BJZFPPWAPT.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\BKFHCGIDBAAFHIDHDAAE

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\EEGWXUHVUG.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EEGWXUHVUG.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EFOYFBOLXA.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EOWRVPQCCS.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\GDHIEHJE

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\HCAEHDHDAKJEBGCBKKJEBGDGII

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\HJDGCGDB

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\HJDHCFCBGIDGHJJKJJDGHDGDHI

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\KJKEHIIJJECFHJKECFHDGIIDBG

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_t13pv4ox18.exe_29266767b7447d6caa1e8f7537294766f8cdeb_b506d96e_ca558f20-fd36-4c0a-935a-f59ba570df39\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FFC.tmp.dmp

Mini DuMP crash report, 14 streams, Sat May 4 22:01:24 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5136.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51A4.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\NIRMEKAMZH.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NVWZAPQSQL.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NYMMPCEIMA.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NYMMPCEIMA.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\SQSJKEBWDT.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 21:01:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Chrome Cache Entry: 115

ASCII text, with very long lines (1657)

downloaded

Chrome Cache Entry: 116

ASCII text, with very long lines (2294)

downloaded

Chrome Cache Entry: 117

ASCII text, with very long lines (6610)

downloaded

Chrome Cache Entry: 118

ASCII text, with very long lines (2956)

downloaded

Chrome Cache Entry: 119

PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 120

ASCII text, with very long lines (2200)

downloaded

Chrome Cache Entry: 121

ASCII text

downloaded

Chrome Cache Entry: 122

ASCII text, with very long lines (736)

downloaded

Chrome Cache Entry: 123

ASCII text, with very long lines (3572), with no line terminators

downloaded

Chrome Cache Entry: 124

ASCII text, with very long lines (769)

downloaded

Chrome Cache Entry: 125

ASCII text, with very long lines (65531)

downloaded

Chrome Cache Entry: 126

PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 127

Web Open Font Format (Version 2), TrueType, length 15344, version 1.0

downloaded

Chrome Cache Entry: 128

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 129

ASCII text, with very long lines (2124)

downloaded

Chrome Cache Entry: 130

HTML document, Unicode text, UTF-8 text, with very long lines (1136)

dropped

Chrome Cache Entry: 131

HTML document, ASCII text, with very long lines (21071)

downloaded

There are 53 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\t13pv4ox18.exe

"C:\Users\user\Desktop\t13pv4ox18.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2788
Target ID:	0
Parent PID:	1028
Name:	t13pv4ox18.exe
Path:	C:\Users\user\Desktop\t13pv4ox18.exe
Commandline:	"C:\Users\user\Desktop\t13pv4ox18.exe"
Size:	334336
MD5:	9E043BF883AFEA72EECBB853B28B21F6
Time:	00:00:53
Date:	05/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	23179264
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

Details

Is windows:	true
Is dropped:	false
PID:	528
Target ID:	2
Parent PID:	3808
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:00:57
Date:	05/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1984,i,12478571798044069574,3483504227359408998,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7160
Target ID:	4
Parent PID:	528
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1984,i,12478571798044069574,3483504227359408998,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:00:58
Date:	05/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2076

Details

Is windows:	true
Is dropped:	false
PID:	2924
Target ID:	9
Parent PID:	2788
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2076
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	00:01:24
Date:	05/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3d0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.172.128.151/7043a0c6a68d9c65.php

185.172.128.151

http://185.172.128.151/8420e83ceb95f3af/softokn3.dll

185.172.128.151

http://185.1

unknown

http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dll

185.172.128.151

http://185.172.128.151/8420e83ceb95f3af/sqlite3.dll

185.172.128.151

http://185.172.128.151/8420e83ceb95f3af/freebl3.dll

185.172.128.151

http://185.172.128.151/8420e83ceb95f3af/mozglue.dll

185.172.128.151

185.172.128.151/7043a0c6a68d9c65.php

http://185.172.128.151/8420e83ceb95f3af/nss3.dll

185.172.128.151

http://185.172.128.151

unknown

http://185.172.128.151/8420e83ceb95f3af/msvcp140.dll

185.172.128.151

https://duckduckgo.com/chrome_newtab

unknown

https://ogs.google.com/

unknown

https://duckduckgo.com/ac/?q=

unknown

http://www.broofa.com

unknown

http://185.172.128.151/7043a0c6a68d9c65.php0

unknown

http://185.172.128.151/7043a0c6a68d9c65.php8

unknown

https://www.google.com/log?format=json&hasfast=true

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpnts

unknown

http://185.172.128.151/7043a0c6a68d9c65.php522a08e5d33469256bc74920121a

unknown

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

http://185.172.128.151/7043a0c6a68d9c65.php$

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpBrowser

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpP

unknown

https://csp.withgoogle.com/csp/lcreport/

unknown

https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en

http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dllU

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.251.167.103

https://apis.google.com

unknown

https://ogs.google.com/widget/app/so

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpD

unknown

https://domains.google.com/suggest/flow

unknown

http://www.sqlite.org/copyright.html.

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpH

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpn

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpl

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpv

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpt

unknown

http://185.172.128.151/8420e83ceb95f3af/nss3.dllD

unknown

https://apis.google.com/js/api.js

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpx

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://www.google.com/async/newtab_promos

142.251.167.103

http://upx.sf.net

unknown

https://play.google.com/log?format=json&hasfast=true&authuser=0

142.251.163.102

http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dllE

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://plus.google.com

unknown

https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.251.167.103

https://play.google.com/log?format=json&hasfast=true

unknown

http://185.172.128.151/8420e83ceb95f3af/msvcp140.dllX

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.251.167.103

https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL

unknown

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0

142.251.16.102

https://support.mozilla.org

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://185.172.128.151/7043a0c6a68d9c65.phpndpoint

unknown

https://clients6.google.com

unknown

There are 56 hidden URLs, click here to show them.

Domains

Name

Malicious

plus.l.google.com

142.251.16.102

www3.l.google.com

142.251.167.138

play.google.com

142.251.163.102

Details

Name:	play.google.com
IP:	142.251.163.102
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

www.google.com

142.251.167.103

Details

Name:	www.google.com
IP:	142.251.167.103
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ogs.google.com

unknown

Details

Name:	ogs.google.com
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.172.128.151

unknown

Russian Federation

Details

IP:	185.172.128.151
TargetID:	0
Current Path:	C:\Users\user\Desktop\t13pv4ox18.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	50916
ASN name:	NADYMSS-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

192.168.2.5

unknown

Details

IP:	192.168.2.5
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.251.167.103

www.google.com

United States

142.251.16.102

plus.l.google.com

United States

142.251.163.102

play.google.com

United States

239.255.255.250

unknown

Reserved