Overview

overview

10

Static

static

3

2IPStartGuard.exe

windows7-x64

7

2IPStartGuard.exe

windows10-2004-x64

7

MrsMajor 3.0.exe

windows7-x64

10

MrsMajor 3.0.exe

windows10-2004-x64

10

Resubmissions

13-05-2024 11:02

240513-m5h7wscd52 10

12-05-2024 21:06

240512-zxtd4sah42 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MrsMajor 3.0.zip

  • Size

    718KB

  • Sample

    240513-m5h7wscd52

  • MD5

    1ba1c2c09aec0555b2735de46ca99837

  • SHA1

    bcf87747109a6c0c77bbb4304b5d2d5cc4f1d05b

  • SHA256

    88d20370bb431865ebd0f8fee1d22e27192cfed6abf96f5e37e258d35fcf83be

  • SHA512

    0f4fd0c050004ada90867372f7682ac0c58e12e32ee4a92dafa27978772b36b0686196d2244dddfc18ca817e4ba59051208c25dbae2de6382957c60a23bc19e2

  • SSDEEP

    12288:8v2uSBZjT5gj1YLHA5gL3Foozppgxa9mP29uu30F2GD/J9aKogClwwSPqTj:8eJpijSLHBL3d14wVSB/ogCuwSPqf

Score
10/10
agilenetdiscoveryevasionpersistencetrojan

Malware Config

Targets

    • Target

      2IPStartGuard.exe

    • Size

      492KB

    • MD5

      af6513111d716fb785873eb7a1b82be0

    • SHA1

      f5cef19010bc3536048bca085b70c95356414e08

    • SHA256

      92b1e608f6db89b696b672d9fa653174de7b2cb6a78282a83cee11f4c8907740

    • SHA512

      61451f24d09b99c07127a9f93285f2ec33eab0cdfe79f88cca86d2e0da4afa92d7de9920af9ad315245052270f11cd80018fb43fe4d82dabffd193a3a0b15612

    • SSDEEP

      12288:Z2eavDVp0149mp2XGuR0TJ0GjHF9eKY2QZww+Pq0k:Z2eWBEsZyfY2Q6w+Pq7

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      MrsMajor 3.0.exe

    • Size

      381KB

    • MD5

      35a27d088cd5be278629fae37d464182

    • SHA1

      d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

    • SHA256

      4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

    • SHA512

      eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

    • SSDEEP

      6144:Th3idhONY259BH1DzJ5PzVNtGgc+F9TBd096cTKAsLEbqqbd+VWM8AHiKn9SlXNA:Th3iXPw9Tc6kVXMHHLEf8l7

    Score
    10/10
    agilenetevasiontrojan

    • UAC bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

3
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks