Overview

overview

10

Static

static

7

Rage Injec....0.exe

windows7_x64

7

Rage Injec....0.exe

windows10_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rage Injector v2.0.exe

  • Size

    444KB

  • MD5

    3cd5c25179eb316711630698a713b187

  • SHA1

    d77ec46b4bd6d47e4b167ce1aaabec72981730a6

  • SHA256

    f4f845267f7126cfdfc8ca2aa6ebe1dd3833a74e393b1d0acf76cb33acb3e740

  • SHA512

    ef7f6dbcaba58289b61fb9bc29d1707caa9d66e8f662a79a29af38cc2fb8e25054e5e7157263c70e93c852d2cf5780e2df3bdacc3d567d4cedf26cd2d5502652

Score
7/10
agilenetspywarestealer

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rage Injector v2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Rage Injector v2.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2004 -s 1124
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\9cd3d4cf-a897-4be6-af78-67aff3a297b5\AgileDotNetRT64.dll
    MD5

    e8641f344213ca05d8b5264b5f4e2dee

    SHA1

    96729e31f9b805800b2248fd22a4b53e226c8309

    SHA256

    85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

    SHA512

    3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

    Download Submit
  • \Users\Admin\AppData\Local\Temp\d5d70971-f4f3-4ecf-92b7-a31aca428458\AgileDotNetRT64.dll
    MD5

    e8641f344213ca05d8b5264b5f4e2dee

    SHA1

    96729e31f9b805800b2248fd22a4b53e226c8309

    SHA256

    85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

    SHA512

    3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

    Download Submit
  • memory/1608-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1608-68-0x000007FEFC371000-0x000007FEFC373000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1608-70-0x0000000000530000-0x0000000000531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2004-59-0x00000000010C0000-0x00000000010C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2004-63-0x000000001ADC0000-0x000000001ADC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-64-0x0000000000AD0000-0x0000000000B16000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2004-65-0x000000001ACA0000-0x000000001AD07000-memory.dmp
    Filesize

    412KB

    Download
  • memory/2004-69-0x000000001ADC6000-0x000000001ADE5000-memory.dmp
    Filesize

    124KB

    Download