General
-
Target
Agile.Net Advanced Obfuscation v6.6.0.42 Full Activated - WwW.Dr-FarFar.CoM.zip
-
Size
71.1MB
-
Sample
240902-1192pszckb
-
MD5
5694f6fd9db2f1968e253aa2689671ef
-
SHA1
e6a1b4c0d5bb82703d865009393bbc80a38c63a1
-
SHA256
cce32abb77ab93a740d42b466d41536a1fcd4cd2512a5bb957dbdd21f375b9cb
-
SHA512
abf08d28f34c291e3d936717cfd4b4600c226d6cf59dc3090f868960a871ea15ca0b65ae6d96a39de048f6e829eeb1120c36485cde408c1df7ecda4fd66f9ed7
-
SSDEEP
1572864:xal0p9XIkCH8WUH8jUETEh/e6ro49Pg/WLIj17gTp96uKJY+GoGFUkLW3vHEXjRQ:J4BH8WUcAEanLgh7eP6rJfGFj63i9Q
Static task
static1
Behavioral task
behavioral1
Sample
Setup/Agile.Net Advanced .NET Obfuscation Full Activated.exe
Resource
win11-20240802-en
Malware Config
Targets
-
-
Target
Setup/Agile.Net Advanced .NET Obfuscation Full Activated.exe
-
Size
71.6MB
-
MD5
103edbef2a58a81ef73099d10de34f29
-
SHA1
5acbf181704e36b1ebf0a6bc0da73546d130bc22
-
SHA256
4560668d19692509407250b780e3213a30aba76039106b57585821fdc3a1dcb7
-
SHA512
1168e60f6b88e40abe917a937b12db594db59bccdbd49e2c75e999db7d2188a87b9af4fcbf707e0693dedcceb57d048456ed15207a65a73eb217a3b30af4a19f
-
SSDEEP
1572864:Gfz/3r6mvYHShnZZ6Hvdyf1kCIPDIhqJz/Jxyf3HKWaBukAE4vQktk9Fvwhtpcsc:kxvYHSLZ6HFI1q1RxKXKJBF4vFO9+vK
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1