6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34

Analysis

max time kernel
134s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe
Size

2.6MB
MD5

27e5fd6b179cc604a92ad40a401f4aec
SHA1

f8a7cd307bb1acfa2ed83d2c9d511bc2891b4332
SHA256

6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34
SHA512

99a2c3a5696751ca1936f2333ac4eca1c3c614b8371dab9c6cf65f0c7fbdc7f2ffb19342cd2b22e99fd4e35ca6a048f4d6494ae2bcecbed639c23fc0a76d28d8
SSDEEP

49152:vCwaz70YMUaqZTbeSAmshGCOljXu0rTuEysKob19dFuAw+W7SCbcZM:nq0mLZBV+GCORXxTuEF/b1/s7ue

Score

9^/10

agilenet vmprotect

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables Discord URL observed in first stage droppers 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables manipulated with Fody 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_Fody

Detects executables packed with Agile.NET / CliSecure 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-3-0x000000001C7E0000-0x000000001C9AA000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
\Users\Admin\AppData\Local\Temp\c10786eb-9d72-4fbb-b0e8-a0d43e5e6ee1\AgileDotNetRT64.dll	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-12-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-11-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-14-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-16-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-18-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-20-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-22-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-24-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-26-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-28-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-30-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-32-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-34-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-36-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-38-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-40-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-42-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-44-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-46-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-48-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-50-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-52-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-54-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-56-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-58-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-60-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-62-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-64-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-66-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-68-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-70-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2244-72-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet

Detects executables packed with VMProtect. 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Loads dropped DLL 1 IoCs

Processes:

6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

pid process

2244 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

pid	process
2244	6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

Obfuscated with Agile.Net obfuscator 33 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2244-3-0x000000001C7E0000-0x000000001C9AA000-memory.dmp	agile_net
behavioral1/memory/2244-12-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-11-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-14-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-16-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-18-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-20-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-22-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-24-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-26-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-28-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-30-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-32-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-34-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-36-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-38-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-40-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-42-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-44-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-46-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-48-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-50-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-52-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-54-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-56-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-58-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-60-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-62-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-64-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-66-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-68-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-70-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net
behavioral1/memory/2244-72-0x000000001C7E0000-0x000000001C9A6000-memory.dmp	agile_net

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp	vmprotect

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

pid process

2244 6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

pid	process
2244	6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe

description	pid	process	target process
PID 2244 wrote to memory of 1548	2244	6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe	WerFault.exe
PID 2244 wrote to memory of 1548	2244	6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe	WerFault.exe
PID 2244 wrote to memory of 1548	2244	6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe
"C:\Users\Admin\AppData\Local\Temp\6bb1021eebd7375d2080fdc50364ee112fb99c57fad69ff2b7619330d2b86f34.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2244 -s 736
2⤵
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\c10786eb-9d72-4fbb-b0e8-a0d43e5e6ee1\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/2244-42-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-11341-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2244-3-0x000000001C7E0000-0x000000001C9AA000-memory.dmp

Filesize
1.8MB

Download
memory/2244-44-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-10-0x000007FEF4760000-0x000007FEF488C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-12-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-11-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-14-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-16-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-18-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-20-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-22-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-24-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-26-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-28-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-30-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-32-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-48-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-36-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-38-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-40-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-0-0x0000000000050000-0x0000000000440000-memory.dmp

Filesize
3.9MB

Download
memory/2244-1-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000000001C160000-0x000000001C1E0000-memory.dmp

Filesize
512KB

Download
memory/2244-34-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-50-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-52-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-54-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-56-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-58-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-60-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-62-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-64-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-66-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-68-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-70-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-72-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-4685-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-5230-0x000000001C160000-0x000000001C1E0000-memory.dmp

Filesize
512KB

Download
memory/2244-11337-0x000000001C160000-0x000000001C1E0000-memory.dmp

Filesize
512KB

Download
memory/2244-11338-0x0000000002750000-0x000000000276A000-memory.dmp

Filesize
104KB

Download
memory/2244-11339-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download
memory/2244-11340-0x0000000002770000-0x000000000278A000-memory.dmp

Filesize
104KB

Download
memory/2244-46-0x000000001C7E0000-0x000000001C9A6000-memory.dmp

Filesize
1.8MB

Download
memory/2244-11342-0x000000001C160000-0x000000001C1E0000-memory.dmp

Filesize
512KB

Download