Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe

"C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5804
Target ID:	13
Parent PID:	7472
Name:	ESET key finder.exe
Path:	C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe
Commandline:	"C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe"
Size:	855552
MD5:	15D7223A5EDCCACFF0CDC2B7209F2B22
Time:	13:35:45
Date:	05/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	888832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe

"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7456
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.FileRepMalware.6681.9154.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"
Size:	7147009
MD5:	328C956C47EE50D02E59606F7EC2DA63
Time:	13:34:50
Date:	05/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	856064
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp

"C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp" /SL5="$2045E,6188866,801280,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7472
Target ID:	1
Parent PID:	7456
Name:	SecuriteInfo.com.FileRepMalware.6681.9154.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp" /SL5="$2045E,6188866,801280,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"
Size:	3134464
MD5:	FDAD6E236B4E5D5FF81A354D87BACBC4
Time:	13:34:50
Date:	05/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3194880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(%08)192207080962112986271363245700090061668218406782359533476819003707/

Details

Is windows:	true
Is dropped:	false
PID:	7548
Target ID:	2
Parent PID:	1836
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(%08)192207080962112986271363245700090061668218406782359533476819003707/
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	13:34:54
Date:	05/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2520,i,879092211089403127,1941375681759626372,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7808
Target ID:	4
Parent PID:	7548
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2520,i,879092211089403127,1941375681759626372,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	13:34:55
Date:	05/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/s/LicenseForAll

unknown

https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

https://github.com/Sperhak323/ESET-key-finderQ

unknown

https://ogs.google.com/

unknown

https://github.com/Sperhak323/ESET-key-finderZhttps://github.com/Sperhak323/ESET-key-finderZhttps://

unknown

https://autohotkey.com

unknown

https://apis.google.com/js/api.js

unknown

https://telegram.me/s/nod323

unknown

https://www.gnu.org/licenses/

unknown

https://www.google.com/log?format=json&hasfast=true

unknown

https://github.com/Sperhak323/ESET-key-findera

unknown

https://www.google.com/async/newtab_promos

142.251.16.103

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

https://plus.google.com

unknown

https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=

unknown

http://www.dk-soft.org/

unknown

http://www.haysoft.org%1-k

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.251.16.103

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.251.16.103

https://csp.withgoogle.com/csp/lcreport/

unknown

https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en

https://github.com/Sperhak323/ESET-key-finder5.30x4BA6D30xFF00000xE042390xF5F6F80xDFEAF00x3030300x29

unknown

https://www.remobjects.com/ps

unknown

https://www.innosetup.com/

unknown

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0

142.251.163.138

https://github.com/Sperhak323/ESET-key-finder

unknown

https://t.me/s/esetnod32freekey

unknown

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.251.16.103

https://apis.google.com

unknown

https://fsf.org/

unknown

https://ogs.google.com/widget/app/so

unknown

https://autohotkey.comCould

unknown

https://domains.google.com/suggest/flow

unknown

https://clients6.google.com

unknown

There are 24 hidden URLs, click here to show them.

Domains

Name

Malicious

plus.l.google.com

142.251.163.138

www3.l.google.com

142.251.167.113

www.google.com

142.251.16.103

Details

Name:	www.google.com
IP:	142.251.16.103
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ogs.google.com

unknown

Details

Name:	ogs.google.com
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

142.251.16.103

www.google.com

United States

142.251.167.113

www3.l.google.com

United States

192.168.2.4

unknown

142.251.163.138

plus.l.google.com

United States

239.255.255.250

unknown

Reserved

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash