13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7 | Triage

Submit
Reports

Overview

overview

Static

static

7

13685be33c...c7.exe

windows7-x64

13685be33c...c7.exe

windows10-2004-x64

Sharing

General

Target

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
Size

1.3MB
Sample

221127-gwjt6sec35
MD5

01151ab7fc3222021cbab67f27622e8a
SHA1

caf0c1ef61f2846fb527dcca0f58543c25bb7496
SHA256

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
SHA512

4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
SSDEEP

24576:cxTAxn1eTrQj9JPc9H+XD6krOlfKtBX8y3xyh2h8Qr7Rdwm:cxO889J8MD6krOlfKtBXLz8Qr7Ram

Score

10^/10

agilenet evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe

Resource

win7-20220901-en

agilenet evasion trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe

Resource

win10v2004-20221111-en

agilenet evasion trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
- Size
  
  1.3MB
- MD5
  
  01151ab7fc3222021cbab67f27622e8a
- SHA1
  
  caf0c1ef61f2846fb527dcca0f58543c25bb7496
- SHA256
  
  13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
- SHA512
  
  4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
- SSDEEP
  
  24576:cxTAxn1eTrQj9JPc9H+XD6krOlfKtBX8y3xyh2h8Qr7Rdwm:cxO889J8MD6krOlfKtBXLz8Qr7Ram
Score

10^/10

agilenet evasion trojan
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Hidden Files and Directories

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agilenetevasiontrojan

behavioral2

agilenetevasiontrojan

© 2018-2024

Terms | Privacy