Malware Analysis Report

2025-05-28 16:41

Sample ID 230706-3lhd9aeg49
Target Fast Ping.exe
SHA256 da1555cad0d5e720a785aebf0fa343270663947a436b386b81982d34f0b96094
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

da1555cad0d5e720a785aebf0fa343270663947a436b386b81982d34f0b96094

Threat Level: Likely malicious

The file Fast Ping.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-06 23:36

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-06 23:35

Reported

2023-07-06 23:38

Platform

win7-20230705-en

Max time kernel

142s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe

"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2144 -s 620

Network

N/A

Files

memory/2144-54-0x00000000011F0000-0x0000000002180000-memory.dmp

\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/2144-61-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp

memory/2144-62-0x000000001BDF0000-0x000000001BE70000-memory.dmp

memory/2144-64-0x000007FEF6BB0000-0x000007FEF6CDC000-memory.dmp

memory/2144-63-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp

memory/2144-65-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp

memory/2144-66-0x000000001BDF0000-0x000000001BE70000-memory.dmp

memory/2144-75-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-06 23:35

Reported

2023-07-06 23:38

Platform

win10v2004-20230703-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe

"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 4376 -ip 4376

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4376 -s 880

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.151.241.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 126.140.241.8.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
US 92.123.26.208:443 assets.msn.com tcp
US 8.8.8.8:53 208.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4376-133-0x000001C6F72E0000-0x000001C6F8270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/4376-140-0x000001C6FA790000-0x000001C6FA7A0000-memory.dmp

memory/4376-142-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp

memory/4376-141-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp

memory/4376-143-0x00007FFEC0530000-0x00007FFEC067E000-memory.dmp

memory/4376-144-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp