Overview

overview

10

Static

static

1

sample.html

windows10-1703-x64

10

Resubmissions

25-04-2024 18:13

240425-wt9p5sdc51 10

25-04-2024 18:08

240425-wqze1add38 10

25-04-2024 18:05

240425-wpcjvadc2t 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample

  • Size

    19KB

  • Sample

    240425-wt9p5sdc51

  • MD5

    39a49a0f8ac6c6c2532c8e0fb619314f

  • SHA1

    f58325cf2a9a92031697915b0759630699872fd5

  • SHA256

    4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68

  • SHA512

    2069d523e9777c62d5f463364f9d851969e714801b146434a0e2dbe95060715ffce7fd301632bbe93fd8eb1e9ed5aae74813f4c7cd1694238ba9e382e7411f93

  • SSDEEP

    384:rLyv/u9KDpmReVoOs4Mi9ylKeGMxU8HhhbJnQ7xZS2LjFrSX+NVJCBXQL:rLytBVoOs4MmyI1M1BhbFuPFrSsJQQL

Score
10/10
agilenetbootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      sample

    • Size

      19KB

    • MD5

      39a49a0f8ac6c6c2532c8e0fb619314f

    • SHA1

      f58325cf2a9a92031697915b0759630699872fd5

    • SHA256

      4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68

    • SHA512

      2069d523e9777c62d5f463364f9d851969e714801b146434a0e2dbe95060715ffce7fd301632bbe93fd8eb1e9ed5aae74813f4c7cd1694238ba9e382e7411f93

    • SSDEEP

      384:rLyv/u9KDpmReVoOs4Mi9ylKeGMxU8HhhbJnQ7xZS2LjFrSX+NVJCBXQL:rLytBVoOs4MmyI1M1BhbFuPFrSsJQQL

    Score
    10/10
    agilenetbootkitevasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

3
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks