ef1bc7566ce113d6af42b9eecc63f0b69b3eeebcc2896d63bf948be6c295dc3a

General

Target

bfca5d2ddd8840dc1f6c49309bbe1924.exe
Size

1.1MB
MD5

bfca5d2ddd8840dc1f6c49309bbe1924
SHA1

b0f0462dfa8fd68617a7e458f9f24586177b3ed2
SHA256

ef1bc7566ce113d6af42b9eecc63f0b69b3eeebcc2896d63bf948be6c295dc3a
SHA512

8c54c8a7a37c637dc6bde8603433b5da536a796aaccc19e22c1e781a9907e6d891b49bbf051837719ca582f3f1e154851ab82d1a53eb47ab2a882caf3c14dda7

Score

7^/10

agilenet spyware

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1984-63-0x0000000000A10000-0x0000000000A1B000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exe

description	pid	Process	procid_target
PID 1984 set thread context of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid	Process
1656	AddInProcess32.exe
1656	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exeAddInProcess32.exe

description	pid	Process
Token: SeDebugPrivilege	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe
Token: SeDebugPrivilege	1656	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exe

description	pid	Process	procid_target
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29
PID 1984 wrote to memory of 1656	1984	bfca5d2ddd8840dc1f6c49309bbe1924.exe	29

C:\Users\Admin\AppData\Local\Temp\bfca5d2ddd8840dc1f6c49309bbe1924.exe
"C:\Users\Admin\AppData\Local\Temp\bfca5d2ddd8840dc1f6c49309bbe1924.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1656-65-0x00000000004165CA-mapping.dmp

Download
memory/1656-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1656-68-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1984-62-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1984-63-0x0000000000A10000-0x0000000000A1B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads