Analysis Overview
SHA256
a28fa8bc8a2275496f736e86adb2e6810512166c85000a594953de1dd368961f
Threat Level: Known bad
The file Spoofer exe.zip was found to be: Known bad.
Malicious Activity Summary
AgentTesla payload
AgentTesla
Agenttesla family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
AgentTesla payload
Looks for VMWare Tools registry key
Checks BIOS information in registry
Themida packer
Obfuscated with Agile.Net obfuscator
Checks whether UAC is enabled
Maps connected drives based on registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-27 03:38
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-27 03:38
Reported
2023-06-27 03:41
Platform
win7-20230621-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-27 03:38
Reported
2023-06-27 03:41
Platform
win10v2004-20230621-en
Max time kernel
63s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 13.89.179.9:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-06-27 03:38
Reported
2023-06-27 03:41
Platform
win7-20230621-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/1240-56-0x000000013F220000-0x000000013FAA4000-memory.dmp
memory/1240-58-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/1240-57-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1240-59-0x0000000002110000-0x000000000218A000-memory.dmp
memory/1240-60-0x000000001F250000-0x000000001F446000-memory.dmp
memory/1240-61-0x000000001BB80000-0x000000001BC00000-memory.dmp
memory/1240-62-0x000000001BB80000-0x000000001BC00000-memory.dmp
memory/1240-82-0x000000013F220000-0x000000013FAA4000-memory.dmp
memory/1240-83-0x000000001BB80000-0x000000001BC00000-memory.dmp
memory/644-84-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/644-85-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/644-87-0x000000013F220000-0x000000013FAA4000-memory.dmp
memory/1240-88-0x000000001BB80000-0x000000001BC00000-memory.dmp
memory/644-90-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/644-91-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-06-27 03:38
Reported
2023-06-27 03:41
Platform
win10v2004-20230621-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 20.189.173.15:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| GB | 96.16.110.41:443 | tcp |
Files
memory/4948-133-0x00007FF757E40000-0x00007FF7586C4000-memory.dmp
memory/4948-135-0x00007FFF00030000-0x00007FFF00031000-memory.dmp
memory/4948-134-0x00007FFF00000000-0x00007FFF00002000-memory.dmp
memory/4948-138-0x00007FF757E40000-0x00007FF7586C4000-memory.dmp
memory/4948-139-0x0000027A40F10000-0x0000027A40F20000-memory.dmp
memory/4948-140-0x0000027A59EB0000-0x0000027A5A0A6000-memory.dmp
memory/4948-150-0x0000027A40F10000-0x0000027A40F20000-memory.dmp
memory/4948-152-0x00007FF757E40000-0x00007FF7586C4000-memory.dmp
memory/4948-153-0x0000027A40F10000-0x0000027A40F20000-memory.dmp
memory/4948-154-0x0000027A40F10000-0x0000027A40F20000-memory.dmp