b1df719e729c278931dd9c1012e4a6906f90364053ea25770712444ec21535ce | Triage

Submit
Reports

Overview

overview

9

Static

static

SOA.exe

windows7-x64

9

SOA.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

Target

SOA.exe
Size

710KB
Sample

230131-kc1kcshd2z
MD5

bd9177cc4451c7614dc5ad3d793aa71f
SHA1

1331882491ec58f3d324a64d245a487b396587d5
SHA256

b1df719e729c278931dd9c1012e4a6906f90364053ea25770712444ec21535ce
SHA512

735f83a4c06a750772329278a191c3d0b7d95f8912448d222be3d329596a06c40dbcb45e8e1411beec1fdb6d0ab94aecd2af33974e9a715a4ec811e989dc2965
SSDEEP

12288:yS4FR40+w0DtzsROLdrClNDndaIuxAe/CE1OOGOO/OOJQ2R3BDULjR/P3Y/UOHJG:zhzsYxcNDndNuxAe/CEqv03wJfPKIiWO

Score

9^/10

collection evasion

Static task

static1

Behavioral task

behavioral1

Sample

SOA.exe

Resource

win7-20220901-en

collection evasion

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

SOA.exe

Resource

win10v2004-20220812-en

collection evasion

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  SOA.exe
- Size
  
  710KB
- MD5
  
  bd9177cc4451c7614dc5ad3d793aa71f
- SHA1
  
  1331882491ec58f3d324a64d245a487b396587d5
- SHA256
  
  b1df719e729c278931dd9c1012e4a6906f90364053ea25770712444ec21535ce
- SHA512
  
  735f83a4c06a750772329278a191c3d0b7d95f8912448d222be3d329596a06c40dbcb45e8e1411beec1fdb6d0ab94aecd2af33974e9a715a4ec811e989dc2965
- SSDEEP
  
  12288:yS4FR40+w0DtzsROLdrClNDndaIuxAe/CE1OOGOO/OOJQ2R3BDULjR/P3Y/UOHJG:zhzsYxcNDndNuxAe/CEqv03wJfPKIiWO
Score

9^/10

collection evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectionevasion

behavioral2

collectionevasion

© 2018-2025

Terms | Privacy