Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
Gopidirit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Gopidirit.exe
Resource
win10v2004-20241007-en
General
-
Target
Gopidirit.exe
-
Size
7.5MB
-
MD5
dd749d83056ecb224b888d51a6748244
-
SHA1
be2a4958e9fd52a0ca31a9b496e2d55900a79a10
-
SHA256
553f70ff7e6aa1e1d9cc0452799b932dca7240fd3bfbd872fdeffdfd17c51704
-
SHA512
16b89c511a49047a98f1b6894a8afc22d90092c86af60eaffb535bb98bdb7989d695057f2d09994d16f98a6077a9178dd76ed4d01982e1063196c78726c6091c
-
SSDEEP
196608:0jwJiv+RneA0pkTheTFPYbhqyH40AW8WOOxSebUKGSwd:0nGOeh4wbhqyH4bWrOMXmSwd
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3060-8-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net behavioral1/memory/3060-6-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net behavioral1/memory/3060-25-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net behavioral1/memory/3060-26-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net behavioral1/memory/3060-74-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net behavioral1/memory/3060-80-0x00000000003A0000-0x0000000001770000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe 3060 Gopidirit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3060 Gopidirit.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD505536a8959254cbc8c9c9bad8abbc89a
SHA15ac3ba35d844f88b44765c0a45d4440b9722c083
SHA2561f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8
SHA5125e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73