Analysis
-
max time kernel
61s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 12:03
Static task
static1
Behavioral task
behavioral1
Sample
Rage Injector v2.0.exe
Resource
win7v20201028
General
-
Target
Rage Injector v2.0.exe
-
Size
444KB
-
MD5
3cd5c25179eb316711630698a713b187
-
SHA1
d77ec46b4bd6d47e4b167ce1aaabec72981730a6
-
SHA256
f4f845267f7126cfdfc8ca2aa6ebe1dd3833a74e393b1d0acf76cb33acb3e740
-
SHA512
ef7f6dbcaba58289b61fb9bc29d1707caa9d66e8f662a79a29af38cc2fb8e25054e5e7157263c70e93c852d2cf5780e2df3bdacc3d567d4cedf26cd2d5502652
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1948 created 1908 1948 WerFault.exe Rage Injector v2.0.exe -
Loads dropped DLL 2 IoCs
Processes:
Rage Injector v2.0.exepid process 1908 Rage Injector v2.0.exe 1908 Rage Injector v2.0.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/1908-119-0x000000001B3B0000-0x000000001B417000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1948 1908 WerFault.exe Rage Injector v2.0.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Rage Injector v2.0.exeWerFault.exepid process 1908 Rage Injector v2.0.exe 1908 Rage Injector v2.0.exe 1908 Rage Injector v2.0.exe 1908 Rage Injector v2.0.exe 1908 Rage Injector v2.0.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Rage Injector v2.0.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1908 Rage Injector v2.0.exe Token: SeDebugPrivilege 1948 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rage Injector v2.0.exe"C:\Users\Admin\AppData\Local\Temp\Rage Injector v2.0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1908 -s 14522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\9cd3d4cf-a897-4be6-af78-67aff3a297b5\AgileDotNetRT64.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
\Users\Admin\AppData\Local\Temp\d5d70971-f4f3-4ecf-92b7-a31aca428458\AgileDotNetRT64.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
memory/1908-114-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1908-117-0x00007FFCB1940000-0x00007FFCB1A6C000-memory.dmpFilesize
1.2MB
-
memory/1908-119-0x000000001B3B0000-0x000000001B417000-memory.dmpFilesize
412KB
-
memory/1908-118-0x000000001B0F0000-0x000000001B136000-memory.dmpFilesize
280KB
-
memory/1908-120-0x000000001B190000-0x000000001B192000-memory.dmpFilesize
8KB
-
memory/1908-122-0x000000001B192000-0x000000001B194000-memory.dmpFilesize
8KB
-
memory/1908-123-0x000000001B194000-0x000000001B195000-memory.dmpFilesize
4KB
-
memory/1908-124-0x000000001B197000-0x000000001B199000-memory.dmpFilesize
8KB
-
memory/1908-125-0x000000001B195000-0x000000001B197000-memory.dmpFilesize
8KB