Resubmissions
18/05/2024, 16:28
240518-tyx6ssce93 1018/05/2024, 16:26
240518-txjxsacd96 1018/05/2024, 16:25
240518-twx31scb7x 1018/05/2024, 15:54
240518-tca45sbb3x 1018/05/2024, 15:51
240518-tazpqabb82 10Analysis
-
max time kernel
133s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 15:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VRThook Spoofer.exe
Resource
win7-20240221-en
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
VRThook Spoofer.exe
Resource
win10v2004-20240426-en
6 signatures
150 seconds
General
-
Target
VRThook Spoofer.exe
-
Size
7.1MB
-
MD5
dbe8d5a8ee46d6c8730745d7078d2bf7
-
SHA1
6fb29e4c785bc721382096c1265311880a68d6df
-
SHA256
9ddd4b094446a4932e71a3307c2a5210c8cb53be65d006840503c285d571e123
-
SHA512
7209980c73bc1b2fbb499bab889dc0981baa719ec031bc98bbe093113b1fbf6aefe580f55978e5ab57ac13cf8538acaab0fe82a5318ac6074c1cb8bb5288e853
-
SSDEEP
196608:A+6eX8TgXoZsXFo5C1o+eE59b5zBXVnTRW:A+PY2aI/v7bV
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/4708-9-0x0000000006A50000-0x0000000006C64000-memory.dmp family_agenttesla -
Delays execution with timeout.exe 1 IoCs
pid Process 1492 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS VRThook Spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer VRThook Spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion VRThook Spoofer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4708 VRThook Spoofer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4708 wrote to memory of 3768 4708 VRThook Spoofer.exe 98 PID 4708 wrote to memory of 3768 4708 VRThook Spoofer.exe 98 PID 4708 wrote to memory of 3768 4708 VRThook Spoofer.exe 98 PID 3768 wrote to memory of 1848 3768 cmd.exe 100 PID 3768 wrote to memory of 1848 3768 cmd.exe 100 PID 3768 wrote to memory of 1848 3768 cmd.exe 100 PID 1848 wrote to memory of 1492 1848 cmd.exe 102 PID 1848 wrote to memory of 1492 1848 cmd.exe 102 PID 1848 wrote to memory of 1492 1848 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\VRThook Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\VRThook Spoofer.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:1492
-
-
-