Overview

overview

10

Static

static

AD6OSOTU.exe

windows7_x64

10

AD6OSOTU.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4a9653f671e29f36f575a2861deea2353b68953a2eda4697a49053abbd4ee98

  • Size

    1.3MB

  • Sample

    220521-cdwzkaggbq

  • MD5

    199a758dc4cfa9ff5bedf8eb9559ae65

  • SHA1

    3a35762496198d1e7d3329efec28eb45870ded33

  • SHA256

    e4a9653f671e29f36f575a2861deea2353b68953a2eda4697a49053abbd4ee98

  • SHA512

    21354ff9ae34b97b542f83170bdda0c37267292166162636880fd9b316c1fc2bf45ccbd20f9cceadd32a0fe1695fc2c5ebabc998581bcba3fe4c9f44576bbf74

Score
10/10
agilenetcoreentitypersistencerezer0

Malware Config

Targets

    • Target

      AD6OSOTU.EXE

    • Size

      812KB

    • MD5

      d3d8e697f01dfa55054727f4653c8673

    • SHA1

      8bde1f7210b448b23e622ae9f7d2b324dc5bdf1e

    • SHA256

      505fb0a37da3e27d2f40ba8ec69ed380b743f952deea93bab1e7a6167d36e586

    • SHA512

      f90433f67bb1f53eaca717c4c94fce3710220019c2ecba35f70b93abe68888a40e525909f09e842876dfb66e89e0542f39d15b1918443f1137be576cd1d167fa

    Score
    10/10
    agilenetcoreentityrezer0persistence

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks