f7a200f18c18f6d80fbf987e251ee96cc3eb08649f36ccdb4ee3c5110b0ebf17

General

Target

ExternalSpoofer.exe
Size

3.0MB
MD5

591b075aab81ac7df3d79cf617d4d7a7
SHA1

eecc505f82677bcde7390a8c64ab41d8963403c6
SHA256

f7a200f18c18f6d80fbf987e251ee96cc3eb08649f36ccdb4ee3c5110b0ebf17
SHA512

7f16de3bd87e5a5a12515016f57fbcc7580f5003949c4270f434056b3e11306cd6d46364bec49cf62780b89159f8eb64a1b97a54da6d66f1bdf362186a1386e9
SSDEEP

49152:wqsfSamq4jrhhWKwbr8PgwKMrNt5HQUuASCAVXx2DUtD6P6uG6VPKL:wHSamnPmKG8P0Mrf5HQt7aUtE6T6M

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

ExternalSpoofer.exe

pid process

2864 ExternalSpoofer.exe

pid	process
2864	ExternalSpoofer.exe

Obfuscated with Agile.Net obfuscator 33 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2864-7-0x0000000005BF0000-0x0000000005DCC000-memory.dmp	agile_net
behavioral2/memory/2864-37-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-60-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-76-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-78-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-74-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-72-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-70-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-68-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-66-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-64-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-62-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-58-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-56-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-54-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-52-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-50-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-48-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-44-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-39-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-35-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-33-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-29-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-27-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-24-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-17-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-46-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-42-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-16-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-31-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-25-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-21-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net
behavioral2/memory/2864-19-0x0000000005BF0000-0x0000000005DC8000-memory.dmp	agile_net

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4544 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ExternalSpoofer.exe

description pid process

Token: SeDebugPrivilege 2864 ExternalSpoofer.exe

pid	process
4544	timeout.exe

description	pid	process
Token: SeDebugPrivilege	2864	ExternalSpoofer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ExternalSpoofer.execmd.execmd.exe

description	pid	process	target process
PID 2864 wrote to memory of 440	2864	ExternalSpoofer.exe	cmd.exe
PID 2864 wrote to memory of 440	2864	ExternalSpoofer.exe	cmd.exe
PID 2864 wrote to memory of 440	2864	ExternalSpoofer.exe	cmd.exe
PID 440 wrote to memory of 5048	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 5048	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 5048	440	cmd.exe	cmd.exe
PID 5048 wrote to memory of 4544	5048	cmd.exe	timeout.exe
PID 5048 wrote to memory of 4544	5048	cmd.exe	timeout.exe
PID 5048 wrote to memory of 4544	5048	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ExternalSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\ExternalSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start cmd /C "color b && title Error && echo Application not found && timeout /t 5"
2⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\cmd.exe
cmd /C "color b && title Error && echo Application not found && timeout /t 5"
3⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fe18e516-f12f-4073-bf13-52a839118bfb\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
memory/2864-52-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-10939-0x0000000006AC0000-0x0000000006B5C000-memory.dmp

Filesize
624KB

Download
memory/2864-3-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/2864-4-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/2864-5-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/2864-6-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/2864-7-0x0000000005BF0000-0x0000000005DCC000-memory.dmp

Filesize
1.9MB

Download
memory/2864-1-0x0000000000940000-0x0000000000C4A000-memory.dmp

Filesize
3.0MB

Download
memory/2864-40-0x0000000071000000-0x0000000071037000-memory.dmp

Filesize
220KB

Download
memory/2864-37-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-60-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-76-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-78-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-74-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-54-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-70-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-68-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-66-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-64-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-62-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-58-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-56-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-72-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-2-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/2864-24-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-48-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-44-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-39-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-35-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-33-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-29-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-27-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-50-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-17-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-46-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-42-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-16-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-15-0x00000000735F0000-0x0000000073679000-memory.dmp

Filesize
548KB

Download
memory/2864-31-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-25-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-21-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-19-0x0000000005BF0000-0x0000000005DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/2864-10940-0x0000000006BC0000-0x0000000006D0E000-memory.dmp

Filesize
1.3MB

Download
memory/2864-10941-0x00000000064D0000-0x00000000064E4000-memory.dmp

Filesize
80KB

Download
memory/2864-10942-0x0000000006A30000-0x0000000006AC0000-memory.dmp

Filesize
576KB

Download
memory/2864-10945-0x0000000071000000-0x0000000071037000-memory.dmp

Filesize
220KB

Download
memory/2864-10944-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing