General
-
Target
Crystal_Temp_Perm.zip
-
Size
7.9MB
-
Sample
240326-ya2arsdc91
-
MD5
2b1df1859620c761d8e57c992f1bf88a
-
SHA1
3a18a399370486a300d424f5f279281bc67b2985
-
SHA256
a140b83fdaa58e7b736f54e6c03b6013edb4e6e39ea54466d07bd381bc551f3d
-
SHA512
4630042b47aa7d3be2dcbd3745c4e7fc12c709300143c2dd15fdb4291d106e92e45728f4ab8d131718208195a2bc3e0bad10c8a9fc975db5e4f48370e11d3486
-
SSDEEP
196608:d8cptv0V2yDw7ULMB7hroYvYM6prkiNhIQrRsTX85zW9:acxktMB7hrosYM6JjhIQNsrV9
Behavioral task
behavioral1
Sample
Crystal Temp+ Perm/Aremi v3_protected.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Crystal Temp+ Perm/Guna.UI2.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
Crystal Temp+ Perm/aremi v3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Crystal Temp+ Perm/aremi v3_protected.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
Crystal Temp+ Perm/Aremi v3_protected.exe
-
Size
5.8MB
-
MD5
30818cad2e5983aa365339ac70ed29ec
-
SHA1
76c48c83c2d891f9a307b3a087b7ca29b844c06e
-
SHA256
8a956dd81ce0c500f2a8ca58febde609733686dae94c91263ad7bc560e4ba9a4
-
SHA512
a33f0a91f7fb37996bad0992256c23d83b78fb7335c28c257fb4b97648eb69a7399f47486b61c16a1890e5139891ad70ffbd677ec4edadb62aaac702384e12a3
-
SSDEEP
98304:HqvT9n5S50x9ojeVlqHOEULzgLOLkD9KCAbN3pwim/OIgWMDgdMCMDgx:K7TSypVlASLzsJ9KdNZ6gWMDgdMCMDgx
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies visiblity of hidden/system files in Explorer
-
AgentTesla payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Crystal Temp+ Perm/Guna.UI2.dll
-
Size
2.1MB
-
MD5
c19e9e6a4bc1b668d19505a0437e7f7e
-
SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa
-
SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
-
SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
SSDEEP
49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score1/10 -
-
-
Target
Crystal Temp+ Perm/aremi v3.exe
-
Size
1.6MB
-
MD5
1b49c25d797f1a978d11c8334d693995
-
SHA1
16f8272975123b5f2e1af72c038a30737823c3e1
-
SHA256
7ab837a255697285865c093d5c6fe44f36e0cf72febaabbdc97634fdae0a4f69
-
SHA512
0f28f88380dc1bccdad371dd1f19927706fad760c6c5a2f3a6b4072fb772234533148f3d990c42d13c1f683536f1b1974b7c8412d5158643af07cb1a9c5a3ebf
-
SSDEEP
24576:X41t5iCct5iCD+Mvpt5iCct5iCc+Mvr+Mvpt5iCct5iCg:IgWMvLgdMv6MvLg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
-
-
Target
Crystal Temp+ Perm/aremi v3_protected.exe
-
Size
1.6MB
-
MD5
1b49c25d797f1a978d11c8334d693995
-
SHA1
16f8272975123b5f2e1af72c038a30737823c3e1
-
SHA256
7ab837a255697285865c093d5c6fe44f36e0cf72febaabbdc97634fdae0a4f69
-
SHA512
0f28f88380dc1bccdad371dd1f19927706fad760c6c5a2f3a6b4072fb772234533148f3d990c42d13c1f683536f1b1974b7c8412d5158643af07cb1a9c5a3ebf
-
SSDEEP
24576:X41t5iCct5iCD+Mvpt5iCct5iCc+Mvr+Mvpt5iCct5iCg:IgWMvLgdMv6MvLg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1