saintbot | 1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b | Triage

Submit
Reports

Overview

overview

Static

static

1

1e6596320a...2b.exe

windows7-x64

1

1e6596320a...2b.exe

windows10-2004-x64

Sharing

General

Target

1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b
Size

1.5MB
Sample

240410-lxnxqsee2z
MD5

13ea6a80588a9eeea6b919a4f104a7de
SHA1

7e79e0459e7aa0fa54bd5a2e5e79b6c0587f2334
SHA256

1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b
SHA512

a3c212e76c7dc8328ea501abba5f76cf01c52b3bc7a60b7ec2eeff2af83537defbde1cecc22b6618b70390f81b46a47a4e5a10cea734d1e7d5cbb5db46613e73
SSDEEP

24576:PRfrBt/w6kIzuGIwlweXNivgGqG0ronl7Nti7VclubgkL:PRc6yGfweXNivgVp0nl7/mVc4s2

Score

10^/10

saintbot agilenet discovery dropper

Static task

static1

Behavioral task

behavioral1

Sample

1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b.exe

Resource

win7-20240221-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b.exe

Resource

win10v2004-20240226-en

saintbot agilenet discovery dropper

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b
- Size
  
  1.5MB
- MD5
  
  13ea6a80588a9eeea6b919a4f104a7de
- SHA1
  
  7e79e0459e7aa0fa54bd5a2e5e79b6c0587f2334
- SHA256
  
  1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b
- SHA512
  
  a3c212e76c7dc8328ea501abba5f76cf01c52b3bc7a60b7ec2eeff2af83537defbde1cecc22b6618b70390f81b46a47a4e5a10cea734d1e7d5cbb5db46613e73
- SSDEEP
  
  24576:PRfrBt/w6kIzuGIwlweXNivgGqG0ronl7Nti7VclubgkL:PRc6yGfweXNivgVp0nl7/mVc4s2
Score

10^/10

saintbot agilenet discovery dropper
- SaintBot
  Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
  dropper saintbot
- SaintBot payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

saintbotagilenetdiscoverydropper

© 2018-2024

Terms | Privacy