Malware Analysis Report

2025-05-28 16:50

Sample ID 250119-dljjwatjds
Target Gopidirit.exe
SHA256 553f70ff7e6aa1e1d9cc0452799b932dca7240fd3bfbd872fdeffdfd17c51704
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

553f70ff7e6aa1e1d9cc0452799b932dca7240fd3bfbd872fdeffdfd17c51704

Threat Level: Shows suspicious behavior

The file Gopidirit.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-19 03:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 03:05

Reported

2025-01-19 03:08

Platform

win7-20240903-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe

"C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.aptitude.pub udp
US 104.26.6.125:443 www.aptitude.pub tcp
US 8.8.8.8:53 aptitude.pub udp
US 104.26.7.125:443 aptitude.pub tcp

Files

memory/3060-0-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-1-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

memory/3060-3-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-2-0x00000000774C1000-0x00000000774C2000-memory.dmp

memory/3060-5-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-7-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-4-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-19-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-18-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-17-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-16-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-15-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-22-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-8-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-24-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-23-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-6-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-25-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-21-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-20-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-14-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-13-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-12-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-11-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-10-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-9-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-26-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-31-0x0000000002190000-0x00000000021D6000-memory.dmp

memory/3060-32-0x0000000001840000-0x000000000185A000-memory.dmp

memory/3060-33-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-34-0x0000000020100000-0x00000000201D2000-memory.dmp

memory/3060-39-0x0000000004C40000-0x0000000004C8A000-memory.dmp

memory/3060-44-0x0000000003AA0000-0x0000000003AC0000-memory.dmp

memory/3060-49-0x00000000043B0000-0x00000000043CE000-memory.dmp

memory/3060-54-0x0000000004BF0000-0x0000000004C0C000-memory.dmp

memory/3060-59-0x0000000005210000-0x000000000526A000-memory.dmp

memory/3060-69-0x0000000005110000-0x000000000512E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evbC38D.tmp

MD5 05536a8959254cbc8c9c9bad8abbc89a
SHA1 5ac3ba35d844f88b44765c0a45d4440b9722c083
SHA256 1f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8
SHA512 5e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73

memory/3060-64-0x0000000005140000-0x0000000005166000-memory.dmp

memory/3060-74-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-79-0x0000000003A80000-0x0000000003A88000-memory.dmp

memory/3060-81-0x0000000077470000-0x0000000077619000-memory.dmp

memory/3060-80-0x00000000003A0000-0x0000000001770000-memory.dmp

memory/3060-82-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 03:05

Reported

2025-01-19 03:08

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe

"C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 www.aptitude.pub udp
US 172.67.70.48:443 www.aptitude.pub tcp
US 8.8.8.8:53 48.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 aptitude.pub udp
US 104.26.7.125:443 aptitude.pub tcp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 125.7.26.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2348-0-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-1-0x00007FF4C96D0000-0x00007FF4C9AA1000-memory.dmp

memory/2348-2-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

memory/2348-4-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-5-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-8-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-6-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-10-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-11-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-12-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-13-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-15-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-14-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-9-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-7-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-3-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-16-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-21-0x0000000005C10000-0x0000000005C56000-memory.dmp

memory/2348-22-0x0000000005820000-0x000000000583A000-memory.dmp

memory/2348-23-0x0000000006C30000-0x0000000006C52000-memory.dmp

memory/2348-24-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-25-0x0000000023ED0000-0x0000000023FA2000-memory.dmp

memory/2348-30-0x0000000006D20000-0x0000000006D6A000-memory.dmp

memory/2348-35-0x0000000006CB0000-0x0000000006CD0000-memory.dmp

memory/2348-40-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

memory/2348-45-0x0000000006CF0000-0x0000000006D0C000-memory.dmp

memory/2348-50-0x00000000260E0000-0x000000002613A000-memory.dmp

memory/2348-55-0x0000000026140000-0x0000000026166000-memory.dmp

memory/2348-60-0x0000000026170000-0x000000002618E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb1D08.tmp

MD5 05536a8959254cbc8c9c9bad8abbc89a
SHA1 5ac3ba35d844f88b44765c0a45d4440b9722c083
SHA256 1f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8
SHA512 5e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73

memory/2348-69-0x000000002A370000-0x000000002A378000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb1F40.tmp

MD5 04fb2d6d6813ffe1f14cb875f75bee89
SHA1 b77c9bdac152ff0e36b4f9b2cf1bfcbc8c669f6d
SHA256 f36b32e7d3993a50e78f63d29c14e82782f0b2e460408a2bd1d294f57b658b89
SHA512 6632f25e32d85d4e036655b00d164c6ee586e0bd6c428b1a328914bdec74bfbc00b1a43875defc9da4031cd959490c968095de77a309a767b97a2ef43609d2df

memory/2348-72-0x0000000180000000-0x0000000180137000-memory.dmp

memory/2348-75-0x0000000180000000-0x0000000180137000-memory.dmp

memory/2348-80-0x0000000029270000-0x000000002927C000-memory.dmp

memory/2348-81-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-82-0x00007FF4C96D0000-0x00007FF4C9AA1000-memory.dmp

memory/2348-83-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-84-0x00007FFF4EF6D000-0x00007FFF4EF6E000-memory.dmp

memory/2348-85-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-87-0x0000000180000000-0x0000000180137000-memory.dmp

memory/2348-89-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-86-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-88-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-90-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

memory/2348-91-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-93-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-95-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-97-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-100-0x0000000180000000-0x0000000180137000-memory.dmp

memory/2348-99-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-101-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-103-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-105-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-107-0x0000000000F50000-0x0000000002320000-memory.dmp

memory/2348-109-0x0000000000F50000-0x0000000002320000-memory.dmp