Overview

overview

8

Static

static

1375950da7...c9.exe

windows7_x64

8

1375950da7...c9.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1375950da71f03040d4043d9d84ac4c9.exe

  • Size

    2.6MB

  • Sample

    210720-pzf9j3ad66

  • MD5

    1375950da71f03040d4043d9d84ac4c9

  • SHA1

    5f4baed37f6eb23d1b6efbe58ece75030f701a77

  • SHA256

    635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

  • SHA512

    900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Score
8/10
agilenetpersistence

Malware Config

Targets

    • Target

      1375950da71f03040d4043d9d84ac4c9.exe

    • Size

      2.6MB

    • MD5

      1375950da71f03040d4043d9d84ac4c9

    • SHA1

      5f4baed37f6eb23d1b6efbe58ece75030f701a77

    • SHA256

      635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

    • SHA512

      900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

    Score
    8/10
    agilenetpersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks