4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68 | Triage

Resubmissions

25/04/2024, 18:13

240425-wt9p5sdc51 10

25/04/2024, 18:08

240425-wqze1add38 10

25/04/2024, 18:05

240425-wpcjvadc2t 8

Sharing

General

Target

sample
Size

19KB
Sample

240425-wt9p5sdc51
MD5

39a49a0f8ac6c6c2532c8e0fb619314f
SHA1

f58325cf2a9a92031697915b0759630699872fd5
SHA256

4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68
SHA512

2069d523e9777c62d5f463364f9d851969e714801b146434a0e2dbe95060715ffce7fd301632bbe93fd8eb1e9ed5aae74813f4c7cd1694238ba9e382e7411f93
SSDEEP

384:rLyv/u9KDpmReVoOs4Mi9ylKeGMxU8HhhbJnQ7xZS2LjFrSX+NVJCBXQL:rLytBVoOs4MmyI1M1BhbFuPFrSsJQQL

Score

10^/10

agilenet bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  sample
- Size
  
  19KB
- MD5
  
  39a49a0f8ac6c6c2532c8e0fb619314f
- SHA1
  
  f58325cf2a9a92031697915b0759630699872fd5
- SHA256
  
  4b4d5673b94b4265836247a57b146413100698ed5c79a9f93409abec7c5d9c68
- SHA512
  
  2069d523e9777c62d5f463364f9d851969e714801b146434a0e2dbe95060715ffce7fd301632bbe93fd8eb1e9ed5aae74813f4c7cd1694238ba9e382e7411f93
- SSDEEP
  
  384:rLyv/u9KDpmReVoOs4Mi9ylKeGMxU8HhhbJnQ7xZS2LjFrSX+NVJCBXQL:rLytBVoOs4MmyI1M1BhbFuPFrSsJQQL
Score

10^/10

agilenet bootkit evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetbootkitevasionpersistencetrojan