agenttesla | a3c5ad53ca0367b79c56cb0dc0c42484b9a4e7fa77290ca6ec233f94cacf1e8b

Analysis

max time kernel
88s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
09-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatoSpoofer.exe
Size

31.7MB
MD5

d55cc4db0fc8dbffe183f78205ec03fa
SHA1

f02664f6276a1b88ecb14efb4e7c7d9b0747c7d6
SHA256

a3c5ad53ca0367b79c56cb0dc0c42484b9a4e7fa77290ca6ec233f94cacf1e8b
SHA512

b26aaae019111d5e23fb293de30380646770dcd31e146edfaff37904f5dc78ac2504050d647d4f212ad42f14a9193a7dc6ef7171f30f356b023fd129e94ec251
SSDEEP

786432:0lH0ByeGkm9QxG774aXrKE/Awx7PL/PlTe0P98qtyXU:s6yesGWnbK5EPL/PlCk60q

Score

10^/10

agenttesla zgrat agilenet keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3644-11-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-12-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-16-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-17-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-18-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-19-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-56-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-89-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-76-0x0000000000970000-0x0000000005362000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3644-64-0x00000163FB1C0000-0x00000163FB3B6000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

CheatoSpoofer.exe

pid process

3644 CheatoSpoofer.exe

Obfuscated with Agile.Net obfuscator 9 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3644-11-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-12-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-16-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-17-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-18-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-19-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-56-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-89-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net
behavioral1/memory/3644-76-0x0000000000970000-0x0000000005362000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

CheatoSpoofer.exe

pid process

3644 CheatoSpoofer.exe
3644 CheatoSpoofer.exe
3644 CheatoSpoofer.exe
3644 CheatoSpoofer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

CheatoSpoofer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	CheatoSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	CheatoSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	CheatoSpoofer.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CheatoSpoofer.exe

pid	process
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe
3644	CheatoSpoofer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

CheatoSpoofer.exe

description	pid	process
Token: SeDebugPrivilege	3644	CheatoSpoofer.exe
Token: SeSystemEnvironmentPrivilege	3644	CheatoSpoofer.exe
Token: SeSecurityPrivilege	3644	CheatoSpoofer.exe
Token: SeTakeOwnershipPrivilege	3644	CheatoSpoofer.exe
Token: SeBackupPrivilege	3644	CheatoSpoofer.exe
Token: SeRestorePrivilege	3644	CheatoSpoofer.exe
Token: SeShutdownPrivilege	3644	CheatoSpoofer.exe
Token: SeDebugPrivilege	3644	CheatoSpoofer.exe
Token: SeAuditPrivilege	3644	CheatoSpoofer.exe
Token: SeSystemEnvironmentPrivilege	3644	CheatoSpoofer.exe
Token: SeManageVolumePrivilege	3644	CheatoSpoofer.exe
Token: SeImpersonatePrivilege	3644	CheatoSpoofer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

2300 MiniSearchHost.exe

pid	process
2300	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll

Filesize
226KB

MD5
519f34494d7484d85ecfad85f23bac05

SHA1
8f1be6ce8501ca1def6d02fde760d48169677bc5

SHA256
1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9

SHA512
d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnctxskp.54s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3644-0-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-2-0x00007FF9EA307000-0x00007FF9EA308000-memory.dmp

Filesize
4KB

Download
memory/3644-1-0x00007FF9E9330000-0x00007FF9E9340000-memory.dmp

Filesize
64KB

Download
memory/3644-3-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-4-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-5-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-6-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-7-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-8-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-9-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-10-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-13-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-14-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-15-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-11-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-12-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-16-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-17-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-18-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-19-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-20-0x00000163E2330000-0x00000163E236E000-memory.dmp

Filesize
248KB

Download
memory/3644-26-0x00000163FA7D0000-0x00000163FA864000-memory.dmp

Filesize
592KB

Download
memory/3644-28-0x00000163E23B0000-0x00000163E23B8000-memory.dmp

Filesize
32KB

Download
memory/3644-27-0x00000163E0D70000-0x00000163E0D78000-memory.dmp

Filesize
32KB

Download
memory/3644-32-0x00000163FA8B0000-0x00000163FA8BA000-memory.dmp

Filesize
40KB

Download
memory/3644-31-0x00000163E23C0000-0x00000163E23C8000-memory.dmp

Filesize
32KB

Download
memory/3644-30-0x00000163E1DC0000-0x00000163E1DCA000-memory.dmp

Filesize
40KB

Download
memory/3644-36-0x00000163FA920000-0x00000163FA928000-memory.dmp

Filesize
32KB

Download
memory/3644-41-0x00000163FA9C0000-0x00000163FA9D4000-memory.dmp

Filesize
80KB

Download
memory/3644-40-0x00000163FA9B0000-0x00000163FA9BC000-memory.dmp

Filesize
48KB

Download
memory/3644-39-0x00000163FA950000-0x00000163FA9AA000-memory.dmp

Filesize
360KB

Download
memory/3644-38-0x00000163FA930000-0x00000163FA954000-memory.dmp

Filesize
144KB

Download
memory/3644-35-0x00000163FA910000-0x00000163FA918000-memory.dmp

Filesize
32KB

Download
memory/3644-34-0x00000163FA8D0000-0x00000163FA8F6000-memory.dmp

Filesize
152KB

Download
memory/3644-33-0x00000163FA8C0000-0x00000163FA8D4000-memory.dmp

Filesize
80KB

Download
memory/3644-29-0x00000163E1DB0000-0x00000163E1DB8000-memory.dmp

Filesize
32KB

Download
memory/3644-25-0x00000163E2370000-0x00000163E23A8000-memory.dmp

Filesize
224KB

Download
memory/3644-46-0x00000163FAC90000-0x00000163FACAA000-memory.dmp

Filesize
104KB

Download
memory/3644-45-0x00000163FAC70000-0x00000163FAC8A000-memory.dmp

Filesize
104KB

Download
memory/3644-44-0x00000163FAB40000-0x00000163FAB4E000-memory.dmp

Filesize
56KB

Download
memory/3644-47-0x00000163FACE0000-0x00000163FAD02000-memory.dmp

Filesize
136KB

Download
memory/3644-43-0x00000163FABC0000-0x00000163FAC72000-memory.dmp

Filesize
712KB

Download
memory/3644-42-0x00000163FAB50000-0x00000163FAB98000-memory.dmp

Filesize
288KB

Download
memory/3644-56-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-58-0x00000163FAEB0000-0x00000163FAF26000-memory.dmp

Filesize
472KB

Download
memory/3644-57-0x00000163FAE80000-0x00000163FAEB2000-memory.dmp

Filesize
200KB

Download
memory/3644-60-0x00000163FAF50000-0x00000163FAF82000-memory.dmp

Filesize
200KB

Download
memory/3644-59-0x00000163FAF30000-0x00000163FAF48000-memory.dmp

Filesize
96KB

Download
memory/3644-62-0x00000163FAF80000-0x00000163FAF8A000-memory.dmp

Filesize
40KB

Download
memory/3644-61-0x00000163FAE70000-0x00000163FAE78000-memory.dmp

Filesize
32KB

Download
memory/3644-63-0x00000163FB100000-0x00000163FB1C4000-memory.dmp

Filesize
784KB

Download
memory/3644-64-0x00000163FB1C0000-0x00000163FB3B6000-memory.dmp

Filesize
2.0MB

Download
memory/3644-65-0x00000163FBC30000-0x00000163FBCAE000-memory.dmp

Filesize
504KB

Download
memory/3644-67-0x00000163FB0A0000-0x00000163FB0B4000-memory.dmp

Filesize
80KB

Download
memory/3644-66-0x00000163FBCB0000-0x00000163FBDFE000-memory.dmp

Filesize
1.3MB

Download
memory/3644-68-0x00000163FD840000-0x00000163FDA0E000-memory.dmp

Filesize
1.8MB

Download
memory/3644-69-0x00000163FBFB0000-0x00000163FBFBE000-memory.dmp

Filesize
56KB

Download
memory/3644-80-0x00000163FED20000-0x00000163FED34000-memory.dmp

Filesize
80KB

Download
memory/3644-79-0x00000163FED10000-0x00000163FED1C000-memory.dmp

Filesize
48KB

Download
memory/3644-78-0x00000163FF000000-0x00000163FF158000-memory.dmp

Filesize
1.3MB

Download
memory/3644-77-0x00000163FECB0000-0x00000163FED10000-memory.dmp

Filesize
384KB

Download
memory/3644-70-0x00000163FEC20000-0x00000163FEC28000-memory.dmp

Filesize
32KB

Download
memory/3644-71-0x00000163FEC30000-0x00000163FEC4A000-memory.dmp

Filesize
104KB

Download
memory/3644-75-0x00000163FEC90000-0x00000163FEC98000-memory.dmp

Filesize
32KB

Download
memory/3644-74-0x00000163FEC80000-0x00000163FEC86000-memory.dmp

Filesize
24KB

Download
memory/3644-73-0x00000163FEC70000-0x00000163FEC7A000-memory.dmp

Filesize
40KB

Download
memory/3644-72-0x00000163FEC50000-0x00000163FEC56000-memory.dmp

Filesize
24KB

Download
memory/3644-83-0x00000163FED50000-0x00000163FED5E000-memory.dmp

Filesize
56KB

Download
memory/3644-84-0x00000163FED60000-0x00000163FED7E000-memory.dmp

Filesize
120KB

Download
memory/3644-82-0x00000163FACC0000-0x00000163FACD4000-memory.dmp

Filesize
80KB

Download
memory/3644-81-0x00000163FACB0000-0x00000163FACBA000-memory.dmp

Filesize
40KB

Download
memory/3644-87-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-88-0x00007FF9EA260000-0x00007FF9EA469000-memory.dmp

Filesize
2.0MB

Download
memory/3644-89-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download
memory/3644-76-0x0000000000970000-0x0000000005362000-memory.dmp

Filesize
73.9MB

Download