Overview

overview

8

Static

static

zergb.exe

windows7_x64

8

zergb.exe

windows10_x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-11-2020 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zergb.exe

  • Size

    808KB

  • MD5

    d3dee81cd147380fc01723cd3acb0cee

  • SHA1

    b26c8f5eca80140a68665447bd2a463feb38cfa5

  • SHA256

    63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7

  • SHA512

    ad500e7070b17275312d58cca71618ef18a94efc9dd34a8933945cd1c09b67485dc22bf26f342bdc0e35449790600193f0b4ebd72c10a2aea37cd67ffad29bb8

Score
7/10
agilenetspyware

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 23 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zergb.exe
    "C:\Users\Admin\AppData\Local\Temp\zergb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\zergb.exe
      "C:\Users\Admin\AppData\Local\Temp\zergb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2140
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2828
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:3688
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:184
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:1008
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:1232
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 2956
                  3⤵
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1936
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1616

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
              MD5

              14ff402962ad21b78ae0b4c43cd1f194

              SHA1

              f8a510eb26666e875a5bdd1cadad40602763ad72

              SHA256

              fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

              SHA512

              daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

              Download Submit
            • \Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll
              MD5

              14ff402962ad21b78ae0b4c43cd1f194

              SHA1

              f8a510eb26666e875a5bdd1cadad40602763ad72

              SHA256

              fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

              SHA512

              daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

              Download Submit
            • memory/184-23-0x0000000000000000-mapping.dmp
              Download
            • memory/540-3-0x0000000000800000-0x0000000000801000-memory.dmp
              Filesize

              4KB

              Download
            • memory/540-5-0x0000000001320000-0x0000000001352000-memory.dmp
              Filesize

              200KB

              Download
            • memory/540-7-0x00000000061D0000-0x00000000061D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/540-8-0x0000000005DB0000-0x0000000005DB1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/540-9-0x0000000005820000-0x0000000005836000-memory.dmp
              Filesize

              88KB

              Download
            • memory/540-2-0x0000000073520000-0x0000000073C0E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1008-24-0x0000000000000000-mapping.dmp
              Download
            • memory/1232-25-0x0000000000000000-mapping.dmp
              Download
            • memory/1308-31-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-37-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-51-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-50-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-46-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-16-0x0000000004C30000-0x0000000004C31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1308-14-0x0000000000800000-0x0000000000830000-memory.dmp
              Filesize

              192KB

              Download
            • memory/1308-13-0x0000000073520000-0x0000000073C0E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1308-49-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-29-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-30-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-12-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-32-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-33-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-34-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-35-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-36-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-48-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-38-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-39-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-40-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-41-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-42-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-43-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-44-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-45-0x0000000000424006-mapping.dmp
              Download
            • memory/1308-47-0x0000000000424006-mapping.dmp
              Download
            • memory/1936-26-0x0000000004E90000-0x0000000004E91000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1936-52-0x00000000057C0000-0x00000000057C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2140-20-0x0000000000000000-mapping.dmp
              Download
            • memory/2668-19-0x0000000000000000-mapping.dmp
              Download
            • memory/2828-21-0x0000000000000000-mapping.dmp
              Download
            • memory/3688-22-0x0000000000000000-mapping.dmp
              Download