Edit tour

Windows Analysis Report
SOA.exe

Overview

General Information

Sample Name:	SOA.exe
Analysis ID:	626099
MD5:	f18604d5fc3e2930e85c403e0e80a459
SHA1:	aa0517c10c333f9a9a64eba154ea915464ebf2bb
SHA256:	46584937f3c753886bb38030047dd11c73d46bf01c5e52a95118108634ee2081
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Writes to foreign memory regions

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SOA.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\SOA.exe" MD5: F18604D5FC3E2930E85C403E0E80A459)

RegSvcs.exe (PID: 6360 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.700193844.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.700193844.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.474512000.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.474512000.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.474083361.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.474083361.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.473274806.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.473274806.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.473700502.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.473700502.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30ad8:$s10: logins 0x331274:$s11: credential 0x1e83:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2451:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x299d:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1cfb:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x1fa4:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: SOA.exe PID: 6968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SOA.exe PID: 6968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SOA.exe PID: 6968	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6360	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6360	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6360	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xa1f9:$s1: get_kbok 0x1c25c:$s1: get_kbok 0xaaa0:$s2: get_CHoo 0x1cb03:$s2: get_CHoo 0xb653:$s3: set_passwordIsSet 0x1d6b6:$s3: set_passwordIsSet 0xa0a5:$s4: get_enableLog 0x1c108:$s4: get_enableLog 0x9508:$g1: get_Clipboard 0x1b56b:$g1: get_Clipboard 0x9516:$g2: get_Keyboard 0x1b579:$g2: get_Keyboard 0x9523:$g3: get_Password 0x1b586:$g3: get_Password 0xa97a:$g4: get_CtrlKeyDown 0x1c9dd:$g4: get_CtrlKeyDown 0xa98a:$g5: get_ShiftKeyDown 0x1c9ed:$g5: get_ShiftKeyDown 0xa99b:$g6: get_AltKeyDown 0x1c9fe:$g6: get_AltKeyDown 0x21b35:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.RegSvcs.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
0.2.SOA.exe.362a900.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.362a900.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.362a900.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efcf:$s1: get_kbok 0x2f92a:$s2: get_CHoo 0x3059d:$s3: set_passwordIsSet 0x2edd3:$s4: get_enableLog 0x33578:$s8: torbrowser 0x31f54:$s10: logins 0x31829:$s11: credential 0x2e1b6:$g1: get_Clipboard 0x2e1c4:$g2: get_Keyboard 0x2e1d1:$g3: get_Password 0x2f7d8:$g4: get_CtrlKeyDown 0x2f7e8:$g5: get_ShiftKeyDown 0x2f7f9:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.RegSvcs.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.RegSvcs.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.RegSvcs.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x33d54:$s10: logins 0x33629:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown 0x315e8:$g5: get_ShiftKeyDown 0x315f9:$g6: get_AltKeyDown
0.2.SOA.exe.362a900.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.362a900.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.362a900.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SOA.exe.362a900.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dcf:$s1: get_kbok 0x66def:$s1: get_kbok 0x3172a:$s2: get_CHoo 0x6774a:$s2: get_CHoo 0x3239d:$s3: set_passwordIsSet 0x683bd:$s3: set_passwordIsSet 0x30bd3:$s4: get_enableLog 0x66bf3:$s4: get_enableLog 0x35378:$s8: torbrowser 0x6b398:$s8: torbrowser 0x33d54:$s10: logins 0x69d74:$s10: logins 0x33629:$s11: credential 0x69649:$s11: credential 0x2ffb6:$g1: get_Clipboard 0x65fd6:$g1: get_Clipboard 0x2ffc4:$g2: get_Keyboard 0x65fe4:$g2: get_Keyboard 0x2ffd1:$g3: get_Password 0x65ff1:$g3: get_Password 0x315d8:$g4: get_CtrlKeyDown
0.2.SOA.exe.3508a50.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.3508a50.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SOA.exe.3508a50.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SOA.exe.3508a50.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x152c7f:$s1: get_kbok 0x188c9f:$s1: get_kbok 0x1535da:$s2: get_CHoo 0x1895fa:$s2: get_CHoo 0x15424d:$s3: set_passwordIsSet 0x18a26d:$s3: set_passwordIsSet 0x152a83:$s4: get_enableLog 0x188aa3:$s4: get_enableLog 0x157228:$s8: torbrowser 0x18d248:$s8: torbrowser 0x155c04:$s10: logins 0x18bc24:$s10: logins 0x1554d9:$s11: credential 0x18b4f9:$s11: credential 0x151e66:$g1: get_Clipboard 0x187e86:$g1: get_Clipboard 0x151e74:$g2: get_Keyboard 0x187e94:$g2: get_Keyboard 0x151e81:$g3: get_Password 0x187ea1:$g3: get_Password 0x153488:$g4: get_CtrlKeyDown
Click to see the 30 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6.0.RegSvcs.exe.400000.4.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}
Source: RegSvcs.exe.6360.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Multi AV Scanner detection for submitted file

Source: SOA.exe	Virustotal: Detection: 56%			Perma Link
Source: SOA.exe	ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: SOA.exe

Joe Sandbox ML: detected

Source: 6.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 6.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 6.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 6.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 6.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 6.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: SOA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SOA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.exe.362a900.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.exe.3508a50.2.raw.unpack, type: UNPACKEDPE

Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000006.00000002.703155934.00000000034AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bLHfhV.com
Source: RegSvcs.exe, 00000006.00000002.705181600.000000000632B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.435642434.000000000555D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SOA.exe, 00000000.00000003.435642434.000000000555D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comX
Source: RegSvcs.exe, 00000006.00000002.703086304.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SOA.exe, 00000000.00000003.440875113.000000000552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SOA.exe, 00000000.00000003.440412042.000000000552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.F
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SOA.exe, 00000000.00000003.446934456.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SOA.exe, 00000000.00000003.446934456.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comC.TTFZ
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTF
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcea
Source: SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: SOA.exe, 00000000.00000003.446934456.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdQ
Source: SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: SOA.exe, 00000000.00000002.482171495.0000000005520000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.475894950.0000000005520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgreta
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: SOA.exe, 00000000.00000003.446256425.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commv
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivF
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.447402029.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: SOA.exe, 00000000.00000003.435412641.000000000555D000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SOA.exe, 00000000.00000003.435412641.000000000555D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com;S;
Source: SOA.exe, 00000000.00000003.438672593.0000000005522000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.439229235.0000000005529000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438684745.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.439030633.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.439157151.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SOA.exe, 00000000.00000003.439030633.0000000005523000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SOA.exe, 00000000.00000003.438406518.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: SOA.exe, 00000000.00000003.438383167.000000000552C000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438258519.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438340040.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnkj
Source: SOA.exe, 00000000.00000003.438383167.000000000552C000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438258519.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438340040.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-s
Source: SOA.exe, 00000000.00000003.438672593.0000000005522000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.438684745.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cny
Source: SOA.exe, 00000000.00000003.448559842.000000000552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441539964.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: SOA.exe, 00000000.00000003.441539964.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Boldv
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.443375135.000000000552B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.444062249.000000000552B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441539964.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.443868372.000000000552B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.443934615.000000000552B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-e
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441539964.0000000005523000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: SOA.exe, 00000000.00000003.443934615.000000000552B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/lt
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: SOA.exe, 00000000.00000003.442006747.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442505928.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.442058750.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oi
Source: SOA.exe, 00000000.00000003.442900542.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: SOA.exe, 00000000.00000003.441742704.0000000005528000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.441856636.0000000005528000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/waS
Source: SOA.exe, 00000000.00000003.448417236.0000000005529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: SOA.exe, 00000000.00000003.434290760.000000000553B000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SOA.exe, 00000000.00000003.434290760.000000000553B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com-e=n
Source: SOA.exe, 00000000.00000003.434281330.0000000005544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comTF
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SOA.exe, 00000000.00000003.443375135.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comr
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SOA.exe, 00000000.00000003.439513237.0000000005524000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.439443516.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp, SOA.exe, 00000000.00000003.439443516.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SOA.exe, 00000000.00000003.447627882.000000000552A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deivb
Source: SOA.exe, 00000000.00000002.482711624.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegSvcs.exe, 00000006.00000002.703086304.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SOA.exe, 00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.700193844.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.473274806.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Source: RegSvcs.exe, 00000006.00000002.703086304.0000000003499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.705130100.000000000630A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----
Source: RegSvcs.exe, 00000006.00000002.703086304.0000000003499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4Kl
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jkqQodeR5y.net
Source: SOA.exe, 00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.700193844.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.473274806.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SOA.exe.362a900.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SOA.exe.362a900.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SOA.exe.3508a50.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6360, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 6.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 6.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 6.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 6.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054

Source: SOA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SOA.exe.362a900.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SOA.exe.362a900.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SOA.exe.3508a50.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000006.00000002.702221188.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegSvcs.exe PID: 6360, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\SOA.exe	Code function: 0_2_0230E4B9	0_2_0230E4B9
Source: C:\Users\user\Desktop\SOA.exe	Code function: 0_2_0230E4C8	0_2_0230E4C8
Source: C:\Users\user\Desktop\SOA.exe	Code function: 0_2_0230CBDC	0_2_0230CBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02F147A0	6_2_02F147A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02F14730	6_2_02F14730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02F14710	6_2_02F14710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02F1D660	6_2_02F1D660

Source: SOA.exe, 00000000.00000002.479817724.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SOA.exe
Source: SOA.exe, 00000000.00000002.476749846.00000000001DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamex2pyR.exe^ vs SOA.exe
Source: SOA.exe, 00000000.00000002.477962760.0000000002491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SOA.exe
Source: SOA.exe, 00000000.00000002.477962760.0000000002491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoBLNvZyKJYCHghVcVugUtfbRmkDGLhBrmDQkpn.exe4 vs SOA.exe
Source: SOA.exe, 00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SOA.exe
Source: SOA.exe, 00000000.00000002.480070555.00000000034AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoBLNvZyKJYCHghVcVugUtfbRmkDGLhBrmDQkpn.exe4 vs SOA.exe
Source: SOA.exe, 00000000.00000002.483419679.00000000076C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SOA.exe
Source: SOA.exe	Binary or memory string: OriginalFilenamex2pyR.exe^ vs SOA.exe

Source: SOA.exe	Virustotal: Detection: 56%
Source: SOA.exe	ReversingLabs: Detection: 53%

Source: SOA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOA.exe "C:\Users\user\Desktop\SOA.exe"
Source: C:\Users\user\Desktop\SOA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\SOA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@3/2@1/0

Source: C:\Users\user\Desktop\SOA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SOA.exe

Mutant created: \Sessions\1\BaseNamedObjects\JHFJngVRuKk

Source: 6.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.3.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.3.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SOA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SOA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: initial sample

Static PE information: section name: .text entropy: 7.02001355184

Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SOA.exe PID: 6968, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SOA.exe TID: 6992

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SOA.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1673			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8179			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOA.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000006.00000002.705130100.000000000630A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SOA.exe, 00000000.00000002.479009843.0000000002728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SOA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SOA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SOA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\SOA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E72008	Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SOA.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SOA.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}

Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SOA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Windows Analysis Report
SOA.exe