Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
LUNA RAIDER.exe
Resource
win7-20240611-en
General
-
Target
LUNA RAIDER.exe
-
Size
8.2MB
-
MD5
0437fa16eec1dedfd1ddf69afcccbf0f
-
SHA1
1649d8123ebbbc26857b0383efbbc8c329f23161
-
SHA256
01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
-
SHA512
5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
-
SSDEEP
196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-3-0x0000000005700000-0x00000000058F6000-memory.dmp family_agenttesla -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1440-6-0x0000000005A70000-0x0000000005BFE000-memory.dmp agile_net behavioral1/memory/1440-7-0x00000000060E0000-0x000000000622E000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2616 1440 WerFault.exe LUNA RAIDER.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
LUNA RAIDER.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LUNA RAIDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer LUNA RAIDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion LUNA RAIDER.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
LUNA RAIDER.exedescription pid process target process PID 1440 wrote to memory of 2616 1440 LUNA RAIDER.exe WerFault.exe PID 1440 wrote to memory of 2616 1440 LUNA RAIDER.exe WerFault.exe PID 1440 wrote to memory of 2616 1440 LUNA RAIDER.exe WerFault.exe PID 1440 wrote to memory of 2616 1440 LUNA RAIDER.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 8242⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1440-0-0x000000007451E000-0x000000007451F000-memory.dmpFilesize
4KB
-
memory/1440-1-0x0000000000BB0000-0x00000000013F6000-memory.dmpFilesize
8.3MB
-
memory/1440-2-0x0000000074510000-0x0000000074BFE000-memory.dmpFilesize
6.9MB
-
memory/1440-3-0x0000000005700000-0x00000000058F6000-memory.dmpFilesize
2.0MB
-
memory/1440-4-0x0000000005220000-0x000000000536E000-memory.dmpFilesize
1.3MB
-
memory/1440-5-0x00000000005A0000-0x00000000005B4000-memory.dmpFilesize
80KB
-
memory/1440-6-0x0000000005A70000-0x0000000005BFE000-memory.dmpFilesize
1.6MB
-
memory/1440-7-0x00000000060E0000-0x000000000622E000-memory.dmpFilesize
1.3MB
-
memory/1440-8-0x0000000004C60000-0x0000000004C90000-memory.dmpFilesize
192KB
-
memory/1440-9-0x0000000008BA0000-0x0000000008CB6000-memory.dmpFilesize
1.1MB
-
memory/1440-10-0x000000007451E000-0x000000007451F000-memory.dmpFilesize
4KB
-
memory/1440-11-0x0000000074510000-0x0000000074BFE000-memory.dmpFilesize
6.9MB