Overview

overview

10

Static

static

7

SaturnX-F2.exe

windows10-1703-x64

10

Resubmissions

03-12-2023 00:19

231203-amk8bage59 10

Analysis

  • max time kernel
    203s
  • max time network
    202s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-en
  • resource tags

    arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-12-2023 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SaturnX-F2.exe

  • Size

    2.9MB

  • MD5

    406377b13d97be6601b006bd542ebed7

  • SHA1

    65a9cc706a89c0d0bd832ed0af5cb2b06826711c

  • SHA256

    2ab087bb4ed0cd582d516182549de9755c5972a8955cddaa95675e93610cb993

  • SHA512

    02c0143c6a8da45325dc3b912ae9b517d6007d55af6da9f35638bd9160693a8ec7d4b7794728d32eea93d42d8a0857f1d475489bd1e1daefb98639b0ea5bef84

  • SSDEEP

    49152:gxlRxlWfZ628CpyVEiUa5z8QE2j8e4go6oQhZsukz:gPRPWfM27b7e4go6xhZsD

Score
10/10
agentteslaagilenetevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SaturnX-F2.exe
    "C:\Users\Admin\AppData\Local\Temp\SaturnX-F2.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4836
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1048
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.0.844653863\1951179629" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1356 -prefsLen 20598 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d52422-b4e3-4f85-b5e3-6ef5dbaa25c0} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1780 279177cf558 gpu
          3⤵
            PID:2808
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.1.565812601\1121286171" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20679 -prefMapSize 233275 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0734ddbc-14f6-4eae-91ac-323e1a6fc81d} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 2136 27917130b58 socket
            3⤵
              PID:4640
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.2.1065894143\1116712847" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2796 -prefsLen 20782 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2a01029-0eee-405b-99ba-4c3fe14ee5c0} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 2956 2791b535d58 tab
              3⤵
                PID:4112
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.3.922995240\1342180347" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 25954 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2454142c-cb28-445b-a0f7-245072265de7} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3612 2790c562258 tab
                3⤵
                  PID:2580
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.4.975745560\807819110" -childID 3 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26013 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52711724-c4a4-430f-847b-c5ecf0940a28} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3932 2791c7aeb58 tab
                  3⤵
                    PID:3460
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.5.515953272\1124909433" -childID 4 -isForBrowser -prefsHandle 4756 -prefMapHandle 4748 -prefsLen 26013 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8852189d-00f6-4b52-9bb5-564ca34b2a24} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4768 2791cf91858 tab
                    3⤵
                      PID:2776
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.7.2041344372\2008439509" -childID 6 -isForBrowser -prefsHandle 4788 -prefMapHandle 4768 -prefsLen 26013 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a06d984c-e25d-4b7d-b105-3b30197e89a4} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4792 2791d81c658 tab
                      3⤵
                        PID:4060
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.6.44411971\157090030" -childID 5 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26013 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a321dbef-4733-4735-b11f-4f1d400f2319} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4896 2791d1f2858 tab
                        3⤵
                          PID:1500
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.8.2074714566\424058102" -childID 7 -isForBrowser -prefsHandle 4076 -prefMapHandle 4080 -prefsLen 26188 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57588186-40c7-4554-9b42-c45deb7ee29b} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 5136 2791a699258 tab
                          3⤵
                            PID:2472
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.9.367736540\1165949163" -childID 8 -isForBrowser -prefsHandle 4868 -prefMapHandle 4880 -prefsLen 27178 -prefMapSize 233275 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bef33ea1-2fd2-4509-ac01-13b7daba4c1f} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 4816 2790c52fc58 tab
                            3⤵
                              PID:4068

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ro90faoz.default-release\cache2\doomed\26946
                          Filesize

                          186B

                          MD5

                          86007d2c49d0eaa16e1a30a9ace292d4

                          SHA1

                          1aed04b4b71a5e6d5de426860a82397e987c3ae7

                          SHA256

                          c843c1e6aeee09659dc75b7624520bb380bcd667a131f70d9db2099cd19ef45e

                          SHA512

                          f8f2583b28e7b88229b280e109a41cc7afa7cd9cba614cadd953e90907dc034ef15b91013f25e7c71692a2244110674eafdc625928a2a859fd460c27a7491c70

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          8KB

                          MD5

                          5eb14f6c1ba039a43d2c03586d1e4cd0

                          SHA1

                          47a84c489fd67e329c1771b3ae1f9c5cb271a8ef

                          SHA256

                          d40b0b3f89a141662ef4134bf07646e368847872aa53a11de36f7c120423f709

                          SHA512

                          0057cca6adc893315a4c33d51ba7034a547049accdc0577b54f9cb5775011681ea361e9ea9362db93761aa3bbe9a9002c5ed16bc9946a6fdd69ba4961bd2d45a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\datareporting\glean\pending_pings\79ffaa0f-33c2-4a82-b9c5-45af631689b9
                          Filesize

                          657B

                          MD5

                          ddd22797058d6f4c548860101e691a50

                          SHA1

                          8d06484f86a30b08f13fae7d25e8483ed8cc3b5f

                          SHA256

                          227b2f92f3525f938eea2672c4fe212ed13d19eda0422ad67e2c163bec2fb3dd

                          SHA512

                          26068db065cdafec292a0224c9952a55ef252e6641806c47ddd58ffa6b4fb358fd928649737c20bd37606585c42322a4c749577bfa47ec9913746ebac9e11649

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          c0fc3a644fcbd0e9fd5b3a3a04c168ce

                          SHA1

                          f38a2734f4f884480d2b3ecd6a724994693b0bb4

                          SHA256

                          34a480a7b8168c422675e75dcbad7687016a0ac0f99a6cfda255b2066924ab15

                          SHA512

                          90fc89e907d85b8dff2c67e4d77d4227bff4b16729538e1c7c0959023c01eae393ed6b734099864957169f0c43457cd036740dc345dd0c7e9fb39ccb38a554f4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          945a414f9e3d0777409995921cfe1ef1

                          SHA1

                          e7379053f06075fa02d9c016f0b99136ae404d7e

                          SHA256

                          f1a82404606ad98a8aeb35ad7ad76e86de1d0c0789c7f8aa1f33e4b2eb4b2144

                          SHA512

                          fa416487fac6a425ac0a5443ec3a0cba991e01dedfedff5c374e58b442d2c9274f05434cf1f5c681c12c3ac15094571e64a0cdf0fe9610ade1e6cb55e0f4f5a4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          ff8e9ac254fa81792e2dcddc7f73142c

                          SHA1

                          d35434cefbd9b9710cec45f88b9f7dda96dd037b

                          SHA256

                          4fc513a9caff9b7bf4c6c8c3ca0e10b99a12627ab7313e78fa7750773eb9cfb2

                          SHA512

                          28523fb48049731edd7e8fba7fd9c54af7399ba65cb6f662d7a2b01847ff1aa5969f191d92f61f8787fb4e56f22f91844fb957048c64e42b3c6d846db82b336a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          d6b6ec8ce3c7800c4ac148fa5fe7e1bc

                          SHA1

                          4fb296439132be6c00626dd01e069f67020bfc25

                          SHA256

                          2bd6b645d1882dabae9f7175a3fe4720da778c688a88014df005e8905a90f119

                          SHA512

                          f844ad9a329461d2f6a63e4758f4a5b88aa888ff525b8bbc58d47bb303513577f0887485ad2ecc2a7ad224460b8dc67776930c11a8cbe66a7b613dfa526bdc36

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          c1d0171106e5ade2a9eee4bb57f1e2a8

                          SHA1

                          650dd7a644ddea6df62a6db765202d99646b1036

                          SHA256

                          5dd859283ca24d0d3f78e03d13494b607dbc40dde5d345d22b603bb87eb126c7

                          SHA512

                          163184ea745f65fa5606fcc6c05f542b6a921f7a5e2ddfa6d95e9ad63c6c422e621a1bf9de0b7d5dd7e16a57334fc6d3cff9ecabcb70c37ac3ccbb4bad31f010

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ro90faoz.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          ae469aea8571052bdf0d1cad51d8cfb2

                          SHA1

                          64d61c1bb7cd2f59ae2d19ed175cefa4e32865a9

                          SHA256

                          81e2072a8210b2ef6f54f18243270ca5de4472f385741eebc5e417dca4e7d527

                          SHA512

                          8099d14a3f8e7db99a84cfd290220bd91fa57f399bb3001dd1c4550c747f8d414490ce81fc8ee5199d2aa387e479f052d381bb44ec116000435d13afe40da657

                          Download Submit

                        • memory/4836-5-0x000001C6D1DB0000-0x000001C6D1FC4000-memory.dmp

                          Filesize

                          2.1MB

                          Download

                        • memory/4836-10-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-11-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-9-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-8-0x00007FF831EE0000-0x00007FF8328CC000-memory.dmp

                          Filesize

                          9.9MB

                          Download

                        • memory/4836-7-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-6-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-0-0x000001C6B72C0000-0x000001C6B75B8000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/4836-4-0x000001C6B79A0000-0x000001C6B79B2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/4836-2-0x000001C6D1BC0000-0x000001C6D1BD0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4836-3-0x000001C6D1A40000-0x000001C6D1BA6000-memory.dmp

                          Filesize

                          1.4MB

                          Download

                        • memory/4836-1-0x00007FF831EE0000-0x00007FF8328CC000-memory.dmp

                          Filesize

                          9.9MB

                          Download