Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
AimBolt.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
AimBolt.exe
Resource
win10v2004-20240508-en
General
-
Target
AimBolt.exe
-
Size
761KB
-
MD5
f4207c97ef68f04fdfb837133fe06fe4
-
SHA1
910f4cdf8987936ce76b4314b53e634fb517a182
-
SHA256
2bd9aaefd640dd2ff0afcc994ebf0b66f7b5ebb05fd38d78ef04815e901b4994
-
SHA512
e0fe67bf6434397ceb89ea10746165526c852ec6ea5d6c92e74d1c34e0ca94a9e1d6ba30dcf36a29ed6b4ff835fac5e1b314469e4078a12e4e319e4661a491e4
-
SSDEEP
12288:a3aVvTuaH8x4D9NDj9JIEMrBaolQIYgsPyQGl50qrx80nFJlLA13AKVe1gWwjU:aKVvTNHTLj99qT4gsF8msJlc1QKVdjU
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3080-6-0x000001AAA6360000-0x000001AAA64B0000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\4E36753A.dll agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
AimBolt.exepid process 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
AimBolt.exepid process 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe 3080 AimBolt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AimBolt.exedescription pid process Token: SeDebugPrivilege 3080 AimBolt.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4E36753A.dllFilesize
604KB
MD5ae13a6e81de14733bed53890e94fed12
SHA1f389fdbcaf43fbbd66c978583d77b16fe3706532
SHA2563d61760635822a4245ef3910db392685da64101fdd2f0f51ca0ccb18d92aa0e1
SHA5126ab8abe209b28119ce0db495f7157969248ea1116ab939d53489f147411ba8546b5599417fa6a4e29d391815e1dc77f24b84e70cc3513e047cf370da65609b25
-
memory/3080-6-0x000001AAA6360000-0x000001AAA64B0000-memory.dmpFilesize
1.3MB
-
memory/3080-12-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/3080-8-0x000001AA8BFD0000-0x000001AA8BFD6000-memory.dmpFilesize
24KB
-
memory/3080-9-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-1-0x000001AA8BB60000-0x000001AA8BC26000-memory.dmpFilesize
792KB
-
memory/3080-11-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-4-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-13-0x000001AA8C060000-0x000001AA8C066000-memory.dmpFilesize
24KB
-
memory/3080-14-0x000001AA8D860000-0x000001AA8D87A000-memory.dmpFilesize
104KB
-
memory/3080-15-0x000001AAA6310000-0x000001AAA6322000-memory.dmpFilesize
72KB
-
memory/3080-16-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-17-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/3080-18-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB