Edit tour

Windows Analysis Report
SOA FEB 2025.exe

Overview

General Information

Sample name:	SOA FEB 2025.exe
Analysis ID:	1638531
MD5:	24b863d9691aec08e6e5cc6d82e9e566
SHA1:	431dee79ae6101ba19a4133a2c726310e0961fe4
SHA256:	df1609f7ea2efb92f4b1597e72086ddef9c617afe5d0ba2d0c7b13be2534778a
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA FEB 2025.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\SOA FEB 2025.exe" MD5: 24B863D9691AEC08E6E5CC6D82E9E566)

RegSvcs.exe (PID: 8288 cmdline: "C:\Users\user\Desktop\SOA FEB 2025.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7563833743:AAGqp8ZlKOECgMPhdAq5I6-k3SMLKGbXjjY", "Telegram Chatid": "6403200178"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14007:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13505:$a3: \Google\Chrome\User Data\Default\Login Data 0x13813:$a4: \Orbitum\User Data\Default\Login Data 0x1460b:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xee6f:$a1: get_encryptedPassword 0xf197:$a2: get_encryptedUsername 0xec0a:$a3: get_timePasswordChanged 0xed2b:$a4: get_passwordField 0xee85:$a5: set_encryptedPassword 0x107d6:$a7: get_logins 0x10487:$a8: GetOutlookPasswords 0x10279:$a9: StartKeylogger 0x10726:$a10: KeyLoggerEventArgs 0x102d6:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2523097849.00000000030D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA FEB 2025.exe PID: 6840	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: SOA FEB 2025.exe PID: 6840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA FEB 2025.exe PID: 6840	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: SOA FEB 2025.exe PID: 6840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SOA FEB 2025.exe PID: 6840	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xed6ce:$a1: get_encryptedPassword 0xed9e7:$a2: get_encryptedUsername 0xed47d:$a3: get_timePasswordChanged 0xed59e:$a4: get_passwordField 0xed6e4:$a5: set_encryptedPassword 0xeefdc:$a7: get_logins 0xeec8d:$a8: GetOutlookPasswords 0xeea7f:$a9: StartKeylogger 0xeef2c:$a10: KeyLoggerEventArgs 0xeeadc:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 8288	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 8288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8288	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 8288	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 8288	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c185:$a1: get_encryptedPassword 0x2c49e:$a2: get_encryptedUsername 0x2bf34:$a3: get_timePasswordChanged 0x2c055:$a4: get_passwordField 0x2c19b:$a5: set_encryptedPassword 0x2da93:$a7: get_logins 0x2d744:$a8: GetOutlookPasswords 0x2d536:$a9: StartKeylogger 0x2d9e3:$a10: KeyLoggerEventArgs 0x2d593:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.SOA FEB 2025.exe.1450000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd26f:$a1: get_encryptedPassword 0xd597:$a2: get_encryptedUsername 0xd00a:$a3: get_timePasswordChanged 0xd12b:$a4: get_passwordField 0xd285:$a5: set_encryptedPassword 0xebd6:$a7: get_logins 0xe887:$a8: GetOutlookPasswords 0xe679:$a9: StartKeylogger 0xeb26:$a10: KeyLoggerEventArgs 0xe6d6:$a11: KeyLoggerEventArgsEventHandler
3.2.SOA FEB 2025.exe.1450000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12207:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11705:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a13:$a4: \Orbitum\User Data\Default\Login Data 0x1280b:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14007:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13505:$a3: \Google\Chrome\User Data\Default\Login Data 0x13813:$a4: \Orbitum\User Data\Default\Login Data 0x1460b:$a5: \Kometa\User Data\Default\Login Data
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler
3.2.SOA FEB 2025.exe.1450000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14007:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13505:$a3: \Google\Chrome\User Data\Default\Login Data 0x13813:$a4: \Orbitum\User Data\Default\Login Data 0x1460b:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T13:49:09.650829+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2523097849.0000000002F81000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7563833743:AAGqp8ZlKOECgMPhdAq5I6-k3SMLKGbXjjY", "Telegram Chatid": "6403200178"}

Multi AV Scanner detection for submitted file

Source: SOA FEB 2025.exe	Virustotal: Detection: 35%			Perma Link
Source: SOA FEB 2025.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SOA FEB 2025.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: SOA FEB 2025.exe, 00000003.00000003.1282728418.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1282974862.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SOA FEB 2025.exe, 00000003.00000003.1282728418.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1282974862.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_004C445A
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CC6D1 FindFirstFileW,FindClose,	3_2_004CC6D1
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_004CC75C
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004CEF95
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004CF0F2
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004CF3F3
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_004C37EF
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_004C3B12
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004CBCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01535782h	7_2_01535366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 015351B9h	7_2_01534F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01535782h	7_2_015356AF

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

3_2_004D22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.0
Source: SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_004D4164

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_004D4164

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_004D3F66

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

3_2_004C001C

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004ECABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

3_2_004ECABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: This is a third-party compiled AutoIt script.	3_2_00463B3A
Source: SOA FEB 2025.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SOA FEB 2025.exe, 00000003.00000002.1285529000.0000000000514000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c53f1798-7
Source: SOA FEB 2025.exe, 00000003.00000002.1285529000.0000000000514000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b098f796-8

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00463633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	3_2_00463633
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_004EC1AC
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	3_2_004EC498
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC57D SendMessageW,NtdllDialogWndProc_W,	3_2_004EC57D
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_004EC5FE
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC860 NtdllDialogWndProc_W,	3_2_004EC860
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC88F NtdllDialogWndProc_W,	3_2_004EC88F
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC8BE NtdllDialogWndProc_W,	3_2_004EC8BE
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC909 NtdllDialogWndProc_W,	3_2_004EC909
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EC93E ClientToScreen,NtdllDialogWndProc_W,	3_2_004EC93E
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004ECA7C GetWindowLongW,NtdllDialogWndProc_W,	3_2_004ECA7C
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004ECABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	3_2_004ECABC
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00461287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7493C8D0,NtdllDialogWndProc_W,	3_2_00461287
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00461290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	3_2_00461290
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004ED3B8 NtdllDialogWndProc_W,	3_2_004ED3B8
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004ED43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	3_2_004ED43E
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046167D NtdllDialogWndProc_W,	3_2_0046167D
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004616DE GetParent,NtdllDialogWndProc_W,	3_2_004616DE
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004616B5 NtdllDialogWndProc_W,	3_2_004616B5
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004ED78C NtdllDialogWndProc_W,	3_2_004ED78C
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046189B NtdllDialogWndProc_W,	3_2_0046189B
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EBC5D NtdllDialogWndProc_W,CallWindowProcW,	3_2_004EBC5D
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EBF30 NtdllDialogWndProc_W,	3_2_004EBF30
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004EBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_004EBF8C

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

3_2_004CA1EF

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,73FB5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

3_2_004B8310

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

3_2_004C51BD

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048D975	3_2_0048D975
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004821C5	3_2_004821C5
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004962D2	3_2_004962D2
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004E03DA	3_2_004E03DA
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0049242E	3_2_0049242E
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004825FA	3_2_004825FA
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004BE616	3_2_004BE616
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004766E1	3_2_004766E1
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046E6A0	3_2_0046E6A0
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0049878F	3_2_0049878F
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00496844	3_2_00496844
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004E0857	3_2_004E0857
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00478808	3_2_00478808
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C8889	3_2_004C8889
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048CB21	3_2_0048CB21
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00496DB6	3_2_00496DB6
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00476F9E	3_2_00476F9E
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00473030	3_2_00473030
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048F1D9	3_2_0048F1D9
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00483187	3_2_00483187
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00461287	3_2_00461287
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00481484	3_2_00481484
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00475520	3_2_00475520
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00487696	3_2_00487696
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00475760	3_2_00475760
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00481978	3_2_00481978
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00499AB5	3_2_00499AB5
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046FCE0	3_2_0046FCE0
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004E7DDB	3_2_004E7DDB
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00481D90	3_2_00481D90
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048BDA6	3_2_0048BDA6
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046DF00	3_2_0046DF00
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00473FE0	3_2_00473FE0
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_014E3210	3_2_014E3210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0153C168	7_2_0153C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_015319B8	7_2_015319B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0153CA58	7_2_0153CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01534F08	7_2_01534F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01537E68	7_2_01537E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0153C386	7_2_0153C386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0153B9E0	7_2_0153B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01532DD1	7_2_01532DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01537E59	7_2_01537E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01534EF8	7_2_01534EF8

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: String function: 00488900 appears 42 times
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: String function: 00467DE1 appears 36 times
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: String function: 00480AE3 appears 70 times

Source: SOA FEB 2025.exe, 00000003.00000003.1283100980.0000000003F7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SOA FEB 2025.exe
Source: SOA FEB 2025.exe, 00000003.00000003.1284160024.0000000003DD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SOA FEB 2025.exe
Source: SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SOA FEB 2025.exe

Source: SOA FEB 2025.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: SOA FEB 2025.exe, 00000003.00000003.1276728836.0000000001657000.00000004.00000020.00020000.00000000.sdmp, Dunlop.3.dr

Binary or memory string: 37R?TUABFYX}EAO.vBP=XSM

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004CA06A GetLastError,FormatMessageW,

3_2_004CA06A

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004B81CB AdjustTokenPrivileges,CloseHandle,		3_2_004B81CB
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		3_2_004B87E1

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_004CB333

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_004DEE0D

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004CC397 CoInitialize,CoCreateInstance,CoUninitialize,

3_2_004CC397

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00464E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_00464E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

File created: C:\Users\user\AppData\Local\Temp\aut4142.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2523097849.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000003060000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523552860.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.000000000307E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000003093000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SOA FEB 2025.exe	Virustotal: Detection: 35%
Source: SOA FEB 2025.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\SOA FEB 2025.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: SOA FEB 2025.exe, 00000003.00000003.1282728418.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1282974862.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SOA FEB 2025.exe, 00000003.00000003.1282728418.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1282974862.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00464B37 LoadLibraryA,GetProcAddress,

3_2_00464B37

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0046C4C6 push A30046BAh; retn 0046h	3_2_0046C50D
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00488945 push ecx; ret	3_2_00488958
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_00462F12 push es; retf	3_2_00462F13

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		3_2_004648D7
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		3_2_004E5376

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00483187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00483187

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

API/Special instruction interceptor: Address: 14E2E34

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_004C445A
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CC6D1 FindFirstFileW,FindClose,	3_2_004CC6D1
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_004CC75C
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004CEF95
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004CF0F2
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004CF3F3
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_004C37EF
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_004C3B12
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004CBCBC

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_004649A0

Source: RegSvcs.exe, 00000007.00000002.2522243719.0000000001157000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0153C168 LdrInitializeThunk,LdrInitializeThunk,

7_2_0153C168

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004D3F09 BlockInput,

3_2_004D3F09

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00463B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00463B3A

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00495A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_00495A7C

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00464B37 LoadLibraryA,GetProcAddress,

3_2_00464B37

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_014E3100 mov eax, dword ptr fs:[00000030h]	3_2_014E3100
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_014E30A0 mov eax, dword ptr fs:[00000030h]	3_2_014E30A0
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_014E1A70 mov eax, dword ptr fs:[00000030h]	3_2_014E1A70

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004B80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

3_2_004B80A9

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_0048A155
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_0048A124 SetUnhandledExceptionFilter,		3_2_0048A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E18008

Jump to behavior

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004B87B1 LogonUserW,

3_2_004B87B1

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00463B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00463B3A

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

3_2_004648D7

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004C4C53 mouse_event,

3_2_004C4C53

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_004B7CAF

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_004B874B

Source: SOA FEB 2025.exe, 00000003.00000002.1285529000.0000000000514000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SOA FEB 2025.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_0048862B cpuid

3_2_0048862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00494E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00494E87

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004A1E06 GetUserNameW,

3_2_004A1E06

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_00493F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_00493F3A

Source: C:\Users\user\Desktop\SOA FEB 2025.exe

Code function: 3_2_004649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_004649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SOA FEB 2025.exe, 00000003.00000003.1277023002.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1273715356.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1276847158.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000002.1287168898.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1276463008.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1274200223.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1273784130.0000000001536000.00000004.00000020.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000003.00000003.1276769707.0000000001536000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: msmpeng.exe

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SOA FEB 2025.exe	Binary or memory string: WIN_81
Source: SOA FEB 2025.exe	Binary or memory string: WIN_XP
Source: SOA FEB 2025.exe	Binary or memory string: WIN_XPe
Source: SOA FEB 2025.exe	Binary or memory string: WIN_VISTA
Source: SOA FEB 2025.exe	Binary or memory string: WIN_7
Source: SOA FEB 2025.exe	Binary or memory string: WIN_8
Source: SOA FEB 2025.exe, 00000003.00000002.1285529000.0000000000514000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2523097849.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SOA FEB 2025.exe.1450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA FEB 2025.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8288, type: MEMORYSTR

Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		3_2_004D6283
Source: C:\Users\user\Desktop\SOA FEB 2025.exe	Code function: 3_2_004D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		3_2_004D6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA FEB 2025.exe	36%	Virustotal		Browse
SOA FEB 2025.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://www.microsoft.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.0	RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	RegSvcs.exe, 00000007.00000002.2523097849.000000000301D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2523097849.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	SOA FEB 2025.exe, 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523097849.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638531
Start date and time:	2025-03-14 13:48:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA FEB 2025.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.12.23.50, 150.171.28.10, 2.19.96.24
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	ADES_PO_Confirmation_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Transferencia 6997900002017937.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg==
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/
	A2h6QhZIKx.exe	Get hash	malicious	Azorult	Browse	k1d5.icu/TP341/index.php
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	r_BBVA_MensajeSWIFT04-03-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.kdrqcyusevx.info/k7wl/
	MUH030425.exe	Get hash	malicious	Azorult	Browse	k1d5.icu/TP341/index.php
	Invoice Remittance ref20250226.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
158.101.44.242	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Payment slip.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Statement FEB 2025pdf.com.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Payment slip.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	Statement FEB 2025pdf.com.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Payment slip.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Notice Letter 2025 03 12 02930920.docs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
CLOUDFLARENETUS	https://intimidadcondiosgt.com/fghjwssxhj/2pIU6hxd/Y2l0eXRpdGxlQGNpdHl0aXRsZWFnZW5jeS5jb20N	Get hash	malicious	Unknown	Browse	172.67.136.69
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	https://www.google.co.zm/url?q=https%3A%2F%2Fembalagenspontual.com%2F.dnd%2F&sa=D&sntz=1&usg=AOvVaw2fQzlrSA6WjuVq4o5C-GZh#?470265860475745Family=X2NlYzY3QG5hc2hpbnRsLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://fortuneurl.com/qdQgK	Get hash	malicious	Unknown	Browse	104.22.20.144
	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	104.18.31.19
	SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.181.28
	https://https.docusign.click/Xckp3QUpZN3dxRHFodEMwRElEMjkzNi96OEZ0MzdvM05qN3hHeE9JNjdDMThoQVo0Ukl2UEhETTdTZEVjNCtzS0IzUFBQb3l5SnRmbWdnMHpCVzdkaTl6NjJEcS93cVduMkdvOHJLV3RlK0JkbmFKRS9oRTdDUXVhVlZXQUd0anJnaUNyTHBNL2xhaFNpd0xwVnFvdlg3dnNYNGlNczg5ZkhVdTZmVlBtd3FEK0RCMHh0THJOdGRYMmRKVUMzK0xKanduNzZ3PT0tLUJCU3Z2YVFGNUd0UHl1TWctLWZaZnlpcFIxMDRETkp4eEx1SVhuQVE9PQ==?cid=322110114	Get hash	malicious	KnowBe4	Browse	104.17.245.203
	SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.21.48.1
	SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.21.72.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	QUOTATION#006565.exe	Get hash	malicious	RedLine	Browse	104.21.96.1
	SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Payment slip.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\SOA FEB 2025.exe
File Type:	data
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.869980096052665
Encrypted:	false
SSDEEP:	1536:hNjHqNKYlOL4tBkcUSWVhX3SwX42IZSBxfh5hBobadw25R5E+/PVgWqv87:hNjKlUqkcUswEZS/55hBsKw2XKktgP87
MD5:	6E169489A0D90C379A4AAFB7B7DB9544
SHA1:	ADB40EEA8E69235CA0A5B610C71D37230CBE5A0C
SHA-256:	6AF7441EF99A4453D707AB09429CF6E4E6040ECAAC07EE714C0B99E30A71F26D
SHA-512:	383CC35C41EA116514DCBC8FEAEC1427D34D98CDD8740013B4A75D6FB1926E6F558267B50AC3A3DDBAFE9B04CCEC4C96729F2A7D6A9FE88EC00EB63F3176949C
Malicious:	false
Reputation:	low
Preview:	...REYX9AAN5..PA.SM6ZXK2wRUUUARFYX9EAN5FFPAYSM6ZXK27RUUUARFY.9EA@.HP.P.l.[...c:<&u1 )>X(a-T((?5y1(.(-%.^<u...r+6<\kLC?bFPAYSM6..K2{SVU./..YX9EAN5F.PCXXLfZX+37R]UUARFY.FDAN.FFP.XSM6.XK.7RUWUAVFYX9EAN3FFPAYSM6.YK25RUUUARDY8.EA^5FVPAYS]6ZHK27RUUEARFYX9EAN5F./@Y.M6ZX.37.PUUARFYX9EAN5FFPAYSM.[XG27RUUUARFYX9EAN5FFPAYSM6ZXK27RUUUARFYX9EAN5FFPAYSM6ZxK2?RUUUARFYX9EIn5F.PAYSM6ZXK27\|!0-5RFY.fDAN.FFP!XSM4ZXK27RUUUARFYX.EA..45""YSM._XK2.SUUSARF;Y9EAN5FFPAYSM6.XKr. 09:"RFUX9EA.4FFRAYS%7ZXK27RUUUARFY.9E.N5FFPAYSM6ZXK27R.TARFYXqEAN7FCPi.SM..XK17RU.UAT6.X9.AN5FFPAYSM6ZXK27RUUUARFYX9EAN5FFPAYSM6ZXK27.(.Z..0+..AN5FFP@[PI0RPK27RUUUA,FYX.EANuFFPvYSM.ZXK_7RUqUAR8YX9;AN5"FPA+SM6;XK2pRUU:ARF7X9E?N5FXRiFSM<p~K0.rUU_Ax.y9EK.4FFT2{SM<.ZK23!vUUK.EYX=6eN5L.TAYW>.ZXA.2RUQ..RE.N?EAUZ~FPKYP.#\XK).tUW}xRFSX.cAM.S@PAByo6X.B27V..&\RF_p{EADAOFPC.YM6^rU0..UU_kp8JX9AjN.d8DAYWf6pz5'7RQ~Ukp8OX9AjN.d8GAYWf6p^aP7 .YU1Q)8X9Ci.5FLx.YSK6pbKL9RUQW..FYR.o{N..FPGY{.6Z^K..R+fUAVj^&.EAJ.P8aAYW.0"XK4D.UU_d.uYX=m.N5LFz.Y{.6Z^K.{RUS

C:\Users\user\AppData\Local\Temp\aut4142.tmp

Download File

Process:	C:\Users\user\Desktop\SOA FEB 2025.exe
File Type:	data
Category:	dropped
Size (bytes):	68346
Entropy (8bit):	7.914529641149232
Encrypted:	false
SSDEEP:	1536:P0VPCdtQNK6imN2VOiJOKnpW8RpuVHH8bZ4cCC1RFq9i:sVPCAM6NSO+1VRpuVHczLrFq8
MD5:	5761C6E8D7A72FC98CABF94D4B18ECA6
SHA1:	D1985E02782502E8CE6E26BA5CA7EB992D2ED71B
SHA-256:	3BB3E7533D80D2B4A70003782BA2B768A44B1C2C04585C6CFCFC2FE8C083D8FB
SHA-512:	6B2A23D79C68A605FDA908CA935B60F8DCF93DAEA8868F74373602266A7FE8AC3477366A56C1213C98FC3858518C85DAA727ABA2F54EE598DEBB38F0CC64F019
Malicious:	false
Reputation:	low
Preview:	EA06..j..C.5-f.9..i.]..A...j.b.2...Z...F..(..e..P..@..7...`.l.J.......c.qL4N.:.I.....}.J,2..Q?..f2...[%.W..X.j%r....]2.?..(.....u:.W./.}..5..P...e..X......f>.j%.....85..b5X..!.V.V......Y...e5.....8.Qh5....6.f.@..(....K...........?.-[.Q.<.......W.\.~.7.M.kF...v.!.Kf..g........4.Q.c4Z..74..@....6m.uZ.L.l..@.>......L'3..J.U..}.J5...6If..?.bsE..^.\|YUP....(.z5..i.T./Eb.1.6!.Z.Rm..N........jk\...a+.n...@..)3..@..R..b..l]@......6+..e..D..(...bD..J..I...p.6'@.......(.....S.....\.?r..k..."Uy..i\|..2...Sg....e3...Z_H.d....3.T..j......T....n.E...Z.V.~.T)u...G\.R.1.V.}.T..:.N.A...t....y......oV.......p..h4J.>.P..k4.z.U.G. ...8.....t~.8..6.i...5...U..T.l.....7....7.wk5Y.FS8.Nhv.L.L.@k5:\..b..' .E^]..VjQ.}...Q..z..96.W.q.-JWf..-U.4.A.G........H........Y:WP.2....(.]f...6cW..V.U.........Mh.k.8...@)s).J....(..h.!N..(.+O....V.....;E....K\|^.7......R..[f.....X.. .!.~.5..k5^l..X..-5...S.Q.u......Q...N.2.t.s.M..U....Y$2sE..)qP..I..D+U.}..U..i.H..@..ztj.........O.C(

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.91213403555262
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SOA FEB 2025.exe
File size:	513'024 bytes
MD5:	24b863d9691aec08e6e5cc6d82e9e566
SHA1:	431dee79ae6101ba19a4133a2c726310e0961fe4
SHA256:	df1609f7ea2efb92f4b1597e72086ddef9c617afe5d0ba2d0c7b13be2534778a
SHA512:	ebcf0dde570a73fe17313317d88e25d61f9c2fc287f1e8796125639dbd1c513297a19725f907c3bb83700f11dbf361943cf727ea16f5e724657237ee90ed51c5
SSDEEP:	12288:6quErHF6xC9D6DmR1J98w4oknqOOCyQfgSh2dEU8xYO/:vrl6kD68JmlotQfnhUEfxJ/
TLSH:	6AB412895ED6DA36C698A33581398C9049B574728E892B6EC728F25FFC30343DC1BB5D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x4ff9b0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D404C5 [Fri Mar 14 10:28:21 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004AA000h
lea edi, dword ptr [esi-000A9000h]
push edi
jmp 00007FA438B69D4Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA438B69D2Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA438B69D4Dh
jne 00007FA438B69D6Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA438B69D61h
dec eax
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA438B69D16h
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA438B69D94h
xor ecx, ecx
sub eax, 03h
jc 00007FA438B69D53h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA438B69DB7h
sar eax, 1
mov ebp, eax
jmp 00007FA438B69D4Dh
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA438B69D0Eh
inc ecx
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA438B69D00h
add ebx, ebx
jne 00007FA438B69D49h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA438B69D31h
jne 00007FA438B69D4Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA438B69D26h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FA438B69D50h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x126e78	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x26e78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12729c	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xffb94	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xa9000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xaa000	0x56000	0x55c00	406607c66917b168f47010c2bf9b2268	False	0.9883638165087464	data	7.936676106362506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x28000	0x27400	fbeea58e71ceb732dcec024651a71d5d	False	0.8693521098726115	data	7.749814535124881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1005ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1006d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x100804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x100930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x100c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x100d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x101bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1024a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x102a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x104fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x106064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcda84	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xce110	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x1064d0	0x2040f	data			1.0003860390126484
RT_GROUP_ICON	0x1268e4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x126960	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126978	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126990	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1269a8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126a88	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-14T13:49:09.650829+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49712	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 13:49:08.658889055 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:08.663600922 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:49:08.663919926 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:08.663919926 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:08.668577909 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:49:09.260938883 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:49:09.313122988 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:09.327363014 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:09.332082987 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:49:09.595153093 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:49:09.650829077 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:49:09.732484102 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:09.732516050 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:09.732572079 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:09.741168976 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:09.741185904 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.241513014 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.241581917 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:10.249181986 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:10.249193907 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.249495983 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.297435999 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:10.316612005 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:10.364316940 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.424453974 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.424500942 CET	443	49713	104.21.96.1	192.168.2.5
Mar 14, 2025 13:49:10.424537897 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:49:10.431921005 CET	49713	443	192.168.2.5	104.21.96.1
Mar 14, 2025 13:50:14.586275101 CET	80	49712	158.101.44.242	192.168.2.5
Mar 14, 2025 13:50:14.586460114 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:50:49.626174927 CET	49712	80	192.168.2.5	158.101.44.242
Mar 14, 2025 13:50:49.633411884 CET	80	49712	158.101.44.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 13:49:08.645610094 CET	63147	53	192.168.2.5	1.1.1.1
Mar 14, 2025 13:49:08.652789116 CET	53	63147	1.1.1.1	192.168.2.5
Mar 14, 2025 13:49:09.722970009 CET	64809	53	192.168.2.5	1.1.1.1
Mar 14, 2025 13:49:09.731837988 CET	53	64809	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 13:49:08.645610094 CET	192.168.2.5	1.1.1.1	0x6412	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.722970009 CET	192.168.2.5	1.1.1.1	0x3943	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:08.652789116 CET	1.1.1.1	192.168.2.5	0x6412	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 13:49:09.731837988 CET	1.1.1.1	192.168.2.5	0x3943	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	158.101.44.242	80	8288	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 14, 2025 13:49:08.663919926 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 14, 2025 13:49:09.260938883 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 12:49:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cd1362af6e8da4db011165c2b5ee050d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 14, 2025 13:49:09.327363014 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 14, 2025 13:49:09.595153093 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 12:49:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7ab2e210fc869d84dc16d12dfa245e31 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	104.21.96.1	443	8288	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 12:49:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-14 12:49:10 UTC	852	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 12:49:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 106816 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 13 Mar 2025 07:08:53 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWhN0s40%2BiixZJbfDMBIBdoSKNLso7iJTsUABHPZZfO5xrw8n0HD1jhEku3uduqMlF3Vmh3WJoIUm0w7N%2BnGoCvvp3KIE1JSfngeicV2xjC3hdY6EpOO12sCP0yzYyaBY0LFjDkR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9203e3b7cb7d436f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1711&rtt_var=726&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1706604&cwnd=164&unsent_bytes=0&cid=0573df0101b28784&ts=194&x=0"
2025-03-14 12:49:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	3
Start time:	08:49:06
Start date:	14/03/2025
Path:	C:\Users\user\Desktop\SOA FEB 2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA FEB 2025.exe"
Imagebase:	0x460000
File size:	513'024 bytes
MD5 hash:	24B863D9691AEC08E6E5CC6D82E9E566
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.1286881388.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:49:07
Start date:	14/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA FEB 2025.exe"
Imagebase:	0xcb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2521918566.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2523097849.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA FEB 2025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dunlop

C:\Users\user\AppData\Local\Temp\aut4142.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
SOA FEB 2025.exe