IOC Report

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\tmp689.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\YeTIrNtSwcaTp.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxwgpzoh.my2.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3hdg5bl.zka.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Roaming\YeTIrNtSwcaTp.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\w04wrif2.05f\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\Documents\20211125\PowerShell_transcript.585948.QT55auCE.20211125114411.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe
"C:\Users\user\Desktop\SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YeTIrNtSwcaTp.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YeTIrNtSwcaTp" /XML "C:\Users\user\AppData\Local\Temp\tmp689.tmp
malicious
C:\Users\user\Desktop\SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe
C:\Users\user\Desktop\SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://mail.medicare-equipment.com
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
http://CvsjsqM03oA.o
unknown
clean
http://DynDns.comDynDNS
unknown
clean
http://gFeKeW.com
unknown
clean
https://sectigo.com/CPS0
unknown
clean
http://medicare-equipment.com
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://CvsjsqM03oA.orgd.
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
http://CvsjsqM03oA.org
unknown
clean
There are 2 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
medicare-equipment.com
192.185.84.191
malicious
mail.medicare-equipment.com
unknown
malicious

IPs

IP
Domain
Country
Malicious
192.185.84.191
medicare-equipment.com
United States
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
3A2D000
unkown
page read and write
malicious
2B4A000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2D91000
unkown
page read and write
malicious
2A21000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
5D7E000
stack
page read and write
clean
5EE4000
unkown
page read and write
clean
DB4D3FD000
stack
page read and write
clean
7DF5947F0000
unkown image
page readonly
clean
2FA0000
unkown image
page readonly
clean
5431000
unkown
page read and write
clean
60E0000
unkown
page read and write
clean
56FC9F7000
stack
page read and write
clean
222A6E02000
unkown
page read and write
clean
BE3000
stack
page read and write
clean
2F90000
unkown image
page readonly
clean
7FB30000
unkown image
page readonly
clean
5431000
unkown
page read and write
clean
5431000
unkown
page read and write
clean
5431000
unkown
page read and write
clean
5431000
unkown
page read and write
clean
5924000
unkown
page read and write
clean