IOC Report
FFAk2gixx5.exe

Files

File Path

Type

Category

Malicious

FFAk2gixx5.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\CGDGHCBGDHJJKECAECBA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\DBFIDGII

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\FCGIJKJJKEBGHJKFIDGCAAFCAF

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\GHJJDGHCBGDHIECBGIDAEHCGDG

SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6

dropped

C:\ProgramData\JECBGCFHCFIDHIDHDGDG

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\JEHIJDGI

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

There are 9 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\FFAk2gixx5.exe

"C:\Users\user\Desktop\FFAk2gixx5.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6784
Target ID:	0
Parent PID:	4004
Name:	FFAk2gixx5.exe
Path:	C:\Users\user\Desktop\FFAk2gixx5.exe
Commandline:	"C:\Users\user\Desktop\FFAk2gixx5.exe"
Size:	296960
MD5:	14CD6D9CBAD80B0E4076212BF7AD937F
Time:	02:51:48
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	40919040
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

IP

Malicious

http://okkolus.com

unknown

http://okkolus.com/dfaf16606234b71d/softokn3.dll

31.41.44.147

http://okkolus.com/cf5cbdf706840b3f.

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dll

31.41.44.147

http://okkolus.com/dfaf16606234b71d/freebl3.dll

31.41.44.147

http://okkolus.com/dfaf16606234b71d/vcruntime140.dll

31.41.44.147

http://okkolus.com/cf5cbdf706840b3f.php

31.41.44.147

http://okkolus.com/dfaf16606234b71d/msvcp140.dll

31.41.44.147

http://okkolus.com/dfaf16606234b71d/sqlite3.dll

31.41.44.147

http://okkolus.com/dfaf16606234b71d/nss3.dll

31.41.44.147

http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPh

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

http://okkolus.com/dfaf16606234b71d/vcruntime140.dllata

unknown

http://okkolus.com/dfaf16606234b71d/msvcp140.dll.

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dllll

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dll.U

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dllrowser

unknown

http://okkolus.com/cf5cbdf706840b3f.php&)

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5Extension

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dllVUG

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_number

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://okkolus.com/dfaf16606234b71d/softokn3.dller

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dlle

unknown

http://okkolus.com/dfaf16606234b71d/ra

unknown

http://www.sqlite.org/copyright.html.

unknown

http://okkolus.com/dfaf16606234b71d/msvcp140.dller

unknown

http://okkolus.com/cf5cbdf706840b3f.phpN

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

http://okkolus.com/dfaf16606234b71d/

unknown

https://mozilla.org0/

unknown

http://okkolus.com/cf5cbdf706840b3f.phpte3.dll

unknown

http://okkolus.com/dfaf16606234b71d/softokn3.dll.

unknown

http://okkolus.com/dfaf16606234b71d/softokn3.dllCSF

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dllll_TH

unknown

http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponent

unknown

http://okkolus.com/dfaf16606234b71d/oTab

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dllser

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://okkolus.com/dfaf16606234b71d/soft

unknown

http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cations

unknown

http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%

unknown

https://www.ecosia.org/newtab/

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dll9M

unknown

http://okkolus.comppData

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://ac.ecopnacl

unknown

http://okkolus.com/cf5cbdf706840b3f.php/M

unknown

http://okkolus.com/cf5cbdf706840b3f.phpt

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dllJT

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dlloU

unknown

https://ac.ecop

unknown

http://okkolus.com/dfaf16606234b71d/mozglue.dlld

unknown

http://okkolus.com/dfaf16606234b71d/nss3.dllllx

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 48 hidden URLs, click here to show them.

Domains

Name

IP

Malicious

okkolus.com

31.41.44.147

Details

Name:	okkolus.com
IP:	31.41.44.147
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

IP

Domain

Country

Malicious

31.41.44.147

okkolus.com

Russian Federation

Details

IP:	31.41.44.147
TargetID:	0
Current Path:	C:\Users\user\Desktop\FFAk2gixx5.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	56577
ASN name:	ASRELINKRU
Private:	false
Domain:	okkolus.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2C4C000

heap

page read and write

2FC0000

direct allocation

page execute and read and write

400000

unkown

page execute and read and write

2FF0000

direct allocation

page read and write

231EB000

heap

page read and write

231FB000

heap

page read and write

61EB7000

direct allocation

page readonly

231F8000

heap

page read and write

231FB000

heap

page read and write

231ED000

heap

page read and write

636000

unkown

page execute and read and write

1CD1F000

stack

page read and write

231E0000

heap

page read and write

1D110000

trusted library allocation

page read and write

401000

unkown

page execute read

195000

stack

page read and write

1CADE000

stack

page read and write

231ED000

heap

page read and write

231DF000

heap

page read and write

231D4000

heap

page read and write

292D1000

heap

page read and write

232CB000

heap

page read and write

231FA000

heap

page read and write

231FB000

heap

page read and write

231FB000

heap

page read and write

231D8000

heap

page read and write

231DD000

heap

page read and write

2C2A000

heap

page read and write

2EBB000

heap

page read and write

231E0000

heap

page read and write

231D5000

heap

page read and write

3020000

heap

page read and write

231F2000

heap

page read and write

231DC000

heap

page read and write

231ED000

heap

page read and write

549000

unkown

page execute and read and write

1CBDF000

stack

page read and write

1D119000

heap

page read and write

1C99F000

stack

page read and write

1F0000

heap

page read and write

29291000

heap

page read and write

231D6000

heap

page read and write

1CE9E000

stack

page read and write

231EB000

heap

page read and write

1D000000

heap

page read and write

231E0000

heap

page read and write

231E5000

heap

page read and write

2EB0000

heap

page read and write

400000

unkown

page readonly

430000

unkown

page write copy

231E0000

heap

page read and write

61E01000

direct allocation

page execute read

2C2E000

heap

page read and write

231DD000

heap

page read and write

231DC000

heap

page read and write

2C37000

heap

page execute and read and write

231DD000

heap

page read and write

231D6000

heap

page read and write

231D7000

heap

page read and write

231DE000

heap

page read and write

231DE000

heap

page read and write

231DA000

heap

page read and write

231DE000

heap

page read and write

231D1000

heap

page read and write

61ECC000

direct allocation

page read and write

292B1000

heap

page read and write

231D1000

heap

page read and write

231D4000

heap

page read and write

231ED000

heap

page read and write

231C6000

heap

page read and write

2C05000

heap

page read and write

29230000

heap

page read and write

231D9000

heap

page read and write

231BE000

stack

page read and write

231E5000

heap

page read and write

231EB000

heap

page read and write

1CD5E000

stack

page read and write

40C000

unkown

page readonly

61ED4000

direct allocation

page readonly

231F2000

heap

page read and write

2C20000

heap

page read and write

231DC000

heap

page read and write

2BE0000

heap

page read and write

2CAB000

heap

page read and write

231C6000

heap

page read and write

2C00000

heap

page read and write

2AEE000

unkown

page readonly

231E0000

heap

page read and write

61ECD000

direct allocation

page readonly

231FB000

heap

page read and write

29250000

heap

page read and write

41A000

unkown

page readonly

61ED0000

direct allocation

page read and write

624000

unkown

page execute and read and write

3060000

heap

page read and write

61ED3000

direct allocation

page read and write

231ED000

heap

page read and write

231DE000

heap

page read and write

447000

unkown

page execute and read and write

29270000

heap

page read and write

2CA4000

heap

page read and write

231ED000

heap

page read and write

231E0000

heap

page read and write

1CC1E000

stack

page read and write

1CE5D000

stack

page read and write

231F2000

heap

page read and write

231D3000

heap

page read and write

231FA000

heap

page read and write

231C8000

heap

page read and write

231DC000

heap

page read and write

231DF000

heap

page read and write

231F2000

heap

page read and write

230BE000

stack

page read and write

61EB4000

direct allocation

page read and write

231FB000

heap

page read and write

231C5000

heap

page read and write

231D6000

heap

page read and write

61E00000

direct allocation

page execute and read and write

2C87000

heap

page read and write

231EB000

heap

page read and write

231D6000

heap

page read and write

484E000

stack

page read and write

1D010000

heap

page read and write

1CF9E000

stack

page read and write

231E0000

heap

page read and write

2AEE000

unkown

page readonly

48C0000

heap

page read and write

231DE000

heap

page read and write

231E5000

heap

page read and write

9C000

stack

page read and write

231D7000

heap

page read and write

There are 121 hidden memdumps, click here to show them.