ef1bc7566ce113d6af42b9eecc63f0b69b3eeebcc2896d63bf948be6c295dc3a

General

Target

bfca5d2ddd8840dc1f6c49309bbe1924.exe
Size

1.1MB
MD5

bfca5d2ddd8840dc1f6c49309bbe1924
SHA1

b0f0462dfa8fd68617a7e458f9f24586177b3ed2
SHA256

ef1bc7566ce113d6af42b9eecc63f0b69b3eeebcc2896d63bf948be6c295dc3a
SHA512

8c54c8a7a37c637dc6bde8603433b5da536a796aaccc19e22c1e781a9907e6d891b49bbf051837719ca582f3f1e154851ab82d1a53eb47ab2a882caf3c14dda7

Score

7^/10

agilenet spyware

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3108-120-0x0000000004E50000-0x0000000004E5B000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exe

description pid process target process

PID 3108 set thread context of 2888 3108 bfca5d2ddd8840dc1f6c49309bbe1924.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

2888 AddInProcess32.exe
2888 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 3108 bfca5d2ddd8840dc1f6c49309bbe1924.exe
Token: SeDebugPrivilege 2888 AddInProcess32.exe

description	pid	process	target process
PID 3108 set thread context of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe

pid	process
2888	AddInProcess32.exe
2888	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe
Token: SeDebugPrivilege	2888	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bfca5d2ddd8840dc1f6c49309bbe1924.exe

description	pid	process	target process
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe
PID 3108 wrote to memory of 2888	3108	bfca5d2ddd8840dc1f6c49309bbe1924.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\bfca5d2ddd8840dc1f6c49309bbe1924.exe
"C:\Users\Admin\AppData\Local\Temp\bfca5d2ddd8840dc1f6c49309bbe1924.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-131-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2888-132-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/2888-128-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2888-129-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2888-125-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2888-135-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/2888-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2888-122-0x00000000004165CA-mapping.dmp

Download
memory/2888-136-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/2888-134-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/2888-133-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/2888-130-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download
memory/3108-120-0x0000000004E50000-0x0000000004E5B000-memory.dmp

Filesize
44KB

Download
memory/3108-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3108-118-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3108-117-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3108-116-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3108-119-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing