General
-
Target
SaturnX-F2.exe
-
Size
2.9MB
-
Sample
231202-3tapdagd65
-
MD5
406377b13d97be6601b006bd542ebed7
-
SHA1
65a9cc706a89c0d0bd832ed0af5cb2b06826711c
-
SHA256
2ab087bb4ed0cd582d516182549de9755c5972a8955cddaa95675e93610cb993
-
SHA512
02c0143c6a8da45325dc3b912ae9b517d6007d55af6da9f35638bd9160693a8ec7d4b7794728d32eea93d42d8a0857f1d475489bd1e1daefb98639b0ea5bef84
-
SSDEEP
49152:gxlRxlWfZ628CpyVEiUa5z8QE2j8e4go6oQhZsukz:gPRPWfM27b7e4go6xhZsD
Malware Config
Targets
-
-
Target
SaturnX-F2.exe
-
Size
2.9MB
-
MD5
406377b13d97be6601b006bd542ebed7
-
SHA1
65a9cc706a89c0d0bd832ed0af5cb2b06826711c
-
SHA256
2ab087bb4ed0cd582d516182549de9755c5972a8955cddaa95675e93610cb993
-
SHA512
02c0143c6a8da45325dc3b912ae9b517d6007d55af6da9f35638bd9160693a8ec7d4b7794728d32eea93d42d8a0857f1d475489bd1e1daefb98639b0ea5bef84
-
SSDEEP
49152:gxlRxlWfZ628CpyVEiUa5z8QE2j8e4go6oQhZsukz:gPRPWfM27b7e4go6xhZsD
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2