Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 02:46
General
-
Target
LUNA RAIDER.exe
-
Size
8.2MB
-
MD5
0437fa16eec1dedfd1ddf69afcccbf0f
-
SHA1
1649d8123ebbbc26857b0383efbbc8c329f23161
-
SHA256
01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
-
SHA512
5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
-
SSDEEP
196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4364-0-0x000000007486E000-0x000000007486F000-memory.dmpFilesize
4KB
-
memory/4364-1-0x0000000000140000-0x0000000000986000-memory.dmpFilesize
8.3MB
-
memory/4364-2-0x0000000005A40000-0x0000000005FE4000-memory.dmpFilesize
5.6MB
-
memory/4364-3-0x00000000053B0000-0x0000000005442000-memory.dmpFilesize
584KB
-
memory/4364-4-0x0000000005330000-0x0000000005342000-memory.dmpFilesize
72KB
-
memory/4364-5-0x0000000005460000-0x000000000546A000-memory.dmpFilesize
40KB
-
memory/4364-6-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4364-7-0x0000000005660000-0x0000000005856000-memory.dmpFilesize
2.0MB
-
memory/4364-8-0x0000000005FF0000-0x000000000613E000-memory.dmpFilesize
1.3MB
-
memory/4364-9-0x0000000005960000-0x0000000005974000-memory.dmpFilesize
80KB
-
memory/4364-10-0x0000000006140000-0x00000000062CE000-memory.dmpFilesize
1.6MB
-
memory/4364-11-0x00000000074D0000-0x000000000761E000-memory.dmpFilesize
1.3MB
-
memory/4364-12-0x0000000007650000-0x0000000007680000-memory.dmpFilesize
192KB
-
memory/4364-13-0x00000000076A0000-0x00000000077B6000-memory.dmpFilesize
1.1MB
-
memory/4364-14-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4364-15-0x0000000009FE0000-0x000000000A01C000-memory.dmpFilesize
240KB
-
memory/4364-16-0x000000000A020000-0x000000000A03A000-memory.dmpFilesize
104KB
-
memory/4364-20-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB