Overview
overview
10Static
static
10Debug/Crystal.exe
windows7-x64
10Debug/Crystal.exe
windows10-2004-x64
10Debug/Crys...re.dll
windows7-x64
1Debug/Crys...re.dll
windows10-2004-x64
1Debug/Crys...pet.js
windows7-x64
3Debug/Crys...pet.js
windows10-2004-x64
3Debug/Guna.UI2.dll
windows7-x64
1Debug/Guna.UI2.dll
windows10-2004-x64
1Debug/Micr...re.dll
windows7-x64
1Debug/Micr...re.dll
windows10-2004-x64
1Debug/Micr...ms.dll
windows7-x64
1Debug/Micr...ms.dll
windows10-2004-x64
1Debug/Micr...pf.dll
windows7-x64
1Debug/Micr...pf.dll
windows10-2004-x64
1Debug/Monaco/fgd.html
windows7-x64
1Debug/Monaco/fgd.html
windows10-2004-x64
6Debug/Mona...dex.js
windows7-x64
3Debug/Mona...dex.js
windows10-2004-x64
3Debug/Mona...n/mime
ubuntu-18.04-amd64
3Debug/Mona...n/mime
debian-9-armhf
1Debug/Mona...n/mime
debian-9-mips
Debug/Mona...n/mime
debian-9-mipsel
Debug/Mona...me.cmd
windows7-x64
1Debug/Mona...me.cmd
windows10-2004-x64
1Debug/Mona...me.ps1
ubuntu-18.04-amd64
1Debug/Mona...me.ps1
debian-9-armhf
1Debug/Mona...me.ps1
debian-9-mips
Debug/Mona...me.ps1
debian-9-mipsel
Debug/Mona...DME.js
windows7-x64
3Debug/Mona...DME.js
windows10-2004-x64
3Debug/Mona...dex.js
windows7-x64
3Debug/Mona...dex.js
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 18:42
Behavioral task
behavioral1
Sample
Debug/Crystal.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Debug/Crystal.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Debug/Crystal.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Debug/Crystal.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Debug/Crystal.exe.WebView2/EBWebView/Subresource Filter/Unindexed Rules/10.34.0.52/adblock_snippet.js
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
Debug/Crystal.exe.WebView2/EBWebView/Subresource Filter/Unindexed Rules/10.34.0.52/adblock_snippet.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Debug/Guna.UI2.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Debug/Guna.UI2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Debug/Microsoft.Web.WebView2.Core.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Debug/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Debug/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
Debug/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Debug/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
Debug/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Debug/Monaco/fgd.html
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Debug/Monaco/fgd.html
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
Debug/Monaco/fileaccess/index.js
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
Debug/Monaco/fileaccess/index.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral20
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral21
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral22
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral23
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.cmd
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.cmd
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.ps1
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral26
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.ps1
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral27
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.ps1
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral28
Sample
Debug/Monaco/fileaccess/node_modules/.bin/mime.ps1
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral29
Sample
Debug/Monaco/fileaccess/node_modules/accepts/README.js
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Debug/Monaco/fileaccess/node_modules/accepts/README.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Debug/Monaco/fileaccess/node_modules/accepts/index.js
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Debug/Monaco/fileaccess/node_modules/accepts/index.js
Resource
win10v2004-20240508-en
General
-
Target
Debug/Crystal.exe
-
Size
144KB
-
MD5
9e353bbaf855fd44edba02d747b6e9f4
-
SHA1
289146c6c89604690048b018638e147e8a53cbed
-
SHA256
2d0efe812711be404787e0c6832284bbacb0e16e35d241cb29d88f44e8bc336e
-
SHA512
13ebe39c7665b2d17d83f2df9d4241bcc2ddc7e086ab8b7b031ed56f8356611b92901f70e202d44e2d2d349e9c135202592dcc0ce3a45017576e0cde7d7760e5
-
SSDEEP
3072:kjWWh/jzNFzkIbdb3gAp4bTv4A8D625U7N4MDaAiDmbUaXVNXa6fm:kjXzFzZdbQTbj4+PZ3DaAiDmbUUVN
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2284-6-0x000000000AAB0000-0x000000000ACC2000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Crystal.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crystal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crystal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crystal.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Crystal.exepid process 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe 2284 Crystal.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Crystal.exepid process 2284 Crystal.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Crystal.exedescription pid process Token: SeDebugPrivilege 2284 Crystal.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2284-0-0x00000000742DE000-0x00000000742DF000-memory.dmpFilesize
4KB
-
memory/2284-1-0x0000000000A10000-0x0000000000A3C000-memory.dmpFilesize
176KB
-
memory/2284-2-0x00000000008A0000-0x00000000008B6000-memory.dmpFilesize
88KB
-
memory/2284-3-0x0000000000800000-0x000000000080E000-memory.dmpFilesize
56KB
-
memory/2284-4-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2284-5-0x0000000001F80000-0x0000000002010000-memory.dmpFilesize
576KB
-
memory/2284-6-0x000000000AAB0000-0x000000000ACC2000-memory.dmpFilesize
2.1MB
-
memory/2284-7-0x0000000002080000-0x000000000208A000-memory.dmpFilesize
40KB
-
memory/2284-8-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2284-9-0x00000000742DE000-0x00000000742DF000-memory.dmpFilesize
4KB
-
memory/2284-10-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2284-11-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2284-12-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2284-13-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB