Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.964571416300009
Filename:	SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Filesize:	2068446
MD5:	87b6fcfdaa0ab94d9cf4b7f3cbbc8b8b
SHA1:	2e3dacf58466b4b7a2c6d52b008f6e1b4c98911a
SHA256:	c1874e86e54a70b1917c708826975e45fa5c813f0ec30f6afd4971100ac0e5b7
SHA512:	cad60287d7340fff636e13443544e1fcc9796ff165f7b56afe8bfeb1b240dfc002f9d6872bba6c6a993a81ff1362e74ea52c9b58067a5d1a59f347bf20ca7c4f
SSDEEP:	49152:Il4n2ygDR5l1R+2CvsKU4TP5GdY/5ONw2cK9vWvGYYhfBfah7Dgpqqd:JnsRfXovsKjTxkGONw54vWvxYNBfahIr
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..d......P..........#..................5.........@.............................P......R.......................................................\|........0.....

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd
Category:	dropped
Dump:	7ZSfx000.cmd.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.152383346840018
Encrypted:	false
Ssdeep:	6:mRoiowv2sw7uvXWhjAdbMD2Uwv2sw7uvXWhjAd10Wiowkn23fS3:mRoeQuvGqd9QuvGqd1Lef8
Size:	266
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\ez-az!\EasyVBO.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ez-az!\EasyVBO.exe
Category:	dropped
Dump:	EasyVBO.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.212819135706876
Encrypted:	false
Ssdeep:	393216:Aihl2xljXZofwLBIcpLQwK7oM2j004g4CNKQj95sXNb5SzBEPWLXfCHMd+fhUFCb:AS2xJp70SDblaXPUpccULgAph
Size:	19781992
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe

"C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6748
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe"
Size:	2068446
MD5:	87B6FCFDAA0AB94D9CF4B7F3CBBC8B8B
Time:	03:33:52
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	217088
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd" "

Details

Is windows:	true
Is dropped:	false
PID:	6984
Target ID:	1
Parent PID:	6748
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd" "
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	03:33:58
Date:	18/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c0050000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7016
Target ID:	2
Parent PID:	6984
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:33:58
Date:	18/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.winsms.co.za/api/credits.ASP?User=

unknown

Details

Name:	https://www.winsms.co.za/api/credits.ASP?User=
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source:	EasyVBO.exe.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.google.com/

unknown

http://www.easyas.co.zaBYour

unknown

https://www.easyas.co.za/downloads/7zEasyVBO.exef

unknown

Details

Name:	https://www.easyas.co.za/downloads/7zEasyVBO.exef
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source:	EasyVBO.exe.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

57A000

heap

page read and write

500000

heap

page read and write

2AAF000

stack

page read and write

14002B000

unkown

page write copy

858000

direct allocation

page read and write

46EC000

stack

page read and write

278E000

stack

page read and write

23B0000

heap

page read and write

599000

heap

page read and write

526000

heap

page read and write

575000

heap

page read and write

5E6000

heap

page read and write

599000

heap

page read and write

1C0000

heap

page read and write

140031000

unkown

page readonly

190000

heap

page read and write

140001000

unkown

page execute read

56E000

heap

page read and write

520000

heap

page read and write

563000

heap

page read and write

56E000

heap

page read and write

23AA000

heap

page read and write

23B0000

heap

page read and write

8B0000

heap

page read and write

140000000

unkown

page readonly

5D7000

heap

page read and write

140001000

unkown

page execute read

14002B000

unkown

page read and write

5C9000

heap

page read and write

57A000

heap

page read and write

1A0000

heap

page read and write

893000

heap

page read and write

52C000

heap

page read and write

563000

heap

page read and write

5C9000

heap

page read and write

890000

heap

page read and write

29C7000

heap

page read and write

23A0000

heap

page read and write

298F000

stack

page read and write

71E000

stack

page read and write

53B000

heap

page read and write

5D7000

heap

page read and write

53A000

heap

page read and write

4D6F000

heap

page read and write

8B5000

heap

page read and write

5EC000

heap

page read and write

140031000

unkown

page readonly

140000000

unkown

page readonly

48CB000

heap

page read and write

45F3000

heap

page read and write

140024000

unkown

page readonly

23AF000

heap

page read and write

48CE000

heap

page read and write

81E000

stack

page read and write

148000

stack

page read and write

3DF0000

trusted library allocation

page read and write

574000

heap

page read and write

140024000

unkown

page readonly

5F0000

heap

page read and write

58E000

heap

page read and write

840000

direct allocation

page read and write

There are 51 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe