97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3 | Triage

Submit
Reports

Overview

overview

8

Static

static

7

97c7006d00...f3.exe

windows7-x64

8

97c7006d00...f3.exe

windows10-2004-x64

8

Sharing

General

Target

97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3
Size

1.7MB
Sample

221124-qbppcseg89
MD5

01b651ca7249e21bd2ba72c014f5f789
SHA1

8e7c80dd469d7151194bc912955e27cbc55a8964
SHA256

97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3
SHA512

6c23ee42722e1acfb0646c9a6cbbac77a1dd7c730a003cfe4953d105e0b7631b204f20d302730b9d2da42febfe3bfc21477babf71c55e0e65b2c3edbef60f3eb
SSDEEP

24576:LwFyVbnD8EtRez82OAiIBvFybiAHL9TNkY8htqk6Ubm:vPtROpFiITAdZTCbMklbm

Score

8^/10

agilenet evasion persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3.exe

Resource

win7-20221111-en

agilenet evasion persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3.exe

Resource

win10v2004-20220812-en

agilenet persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3
- Size
  
  1.7MB
- MD5
  
  01b651ca7249e21bd2ba72c014f5f789
- SHA1
  
  8e7c80dd469d7151194bc912955e27cbc55a8964
- SHA256
  
  97c7006d0063be5f926f6dad63c58d71e65e0d5ddbce0ea1dc6823ef768073f3
- SHA512
  
  6c23ee42722e1acfb0646c9a6cbbac77a1dd7c730a003cfe4953d105e0b7631b204f20d302730b9d2da42febfe3bfc21477babf71c55e0e65b2c3edbef60f3eb
- SSDEEP
  
  24576:LwFyVbnD8EtRez82OAiIBvFybiAHL9TNkY8htqk6Ubm:vPtROpFiITAdZTCbMklbm
Score

8^/10

agilenet evasion persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetevasionpersistence

behavioral2

agilenetpersistence

© 2018-2024

Terms | Privacy