abeaa67ebce8e8b6d406834c8d016567e5d5bf4e1d2209a45a96c300828b8ef8 | Triage

Submit
Reports

Overview

overview

7

Static

static

3

blitzed.exe

windows7-x64

7

blitzed.exe

windows10-2004-x64

7

Sharing

General

Target

blitzed.exe
Size

34.0MB
Sample

230402-hlkt6agd7y
MD5

677514f05118d9b3cd0e0c4eb4f26087
SHA1

c3883d160a7ceca9d2d441c6720370d510ed5b43
SHA256

abeaa67ebce8e8b6d406834c8d016567e5d5bf4e1d2209a45a96c300828b8ef8
SHA512

cfda4d80b541de89046b2678ee52f2df8ef7a9308da8ea74a4d071f9f7e0f1bbba202210f84e74a5d6d4a1653b4bfa4ab2a2a12b093b591182c8746ba801bd00
SSDEEP

393216:kjfeZBR3LD34p21mu7L/FD/ftnSyY+k4tO2dQ2lN/m3pW+9J8eHzD8YVQJdGd8v:OoP3LEpOmCLtTtY4tndQGK19J8eHnKh

Score

7^/10

agilenet persistence pyinstaller spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

blitzed.exe

Resource

win7-20230220-en

agilenet persistence pyinstaller

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

blitzed.exe

Resource

win10v2004-20230220-en

agilenet persistence pyinstaller spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  blitzed.exe
- Size
  
  34.0MB
- MD5
  
  677514f05118d9b3cd0e0c4eb4f26087
- SHA1
  
  c3883d160a7ceca9d2d441c6720370d510ed5b43
- SHA256
  
  abeaa67ebce8e8b6d406834c8d016567e5d5bf4e1d2209a45a96c300828b8ef8
- SHA512
  
  cfda4d80b541de89046b2678ee52f2df8ef7a9308da8ea74a4d071f9f7e0f1bbba202210f84e74a5d6d4a1653b4bfa4ab2a2a12b093b591182c8746ba801bd00
- SSDEEP
  
  393216:kjfeZBR3LD34p21mu7L/FD/ftnSyY+k4tO2dQ2lN/m3pW+9J8eHzD8YVQJdGd8v:OoP3LEpOmCLtTtY4tndQGK19J8eHnKh
Score

7^/10

agilenet persistence pyinstaller spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

agilenetpersistencepyinstaller

behavioral2

agilenetpersistencepyinstallerspywarestealer

© 2018-2024

Terms | Privacy