Resubmissions
18/05/2024, 16:28
240518-tyx6ssce93 1018/05/2024, 16:26
240518-txjxsacd96 1018/05/2024, 16:25
240518-twx31scb7x 1018/05/2024, 15:54
240518-tca45sbb3x 1018/05/2024, 15:51
240518-tazpqabb82 10Analysis
-
max time kernel
66s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
VRThook Spoofer.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
VRThook Spoofer.exe
Resource
win11-20240508-en
General
-
Target
VRThook Spoofer.exe
-
Size
7.1MB
-
MD5
dbe8d5a8ee46d6c8730745d7078d2bf7
-
SHA1
6fb29e4c785bc721382096c1265311880a68d6df
-
SHA256
9ddd4b094446a4932e71a3307c2a5210c8cb53be65d006840503c285d571e123
-
SHA512
7209980c73bc1b2fbb499bab889dc0981baa719ec031bc98bbe093113b1fbf6aefe580f55978e5ab57ac13cf8538acaab0fe82a5318ac6074c1cb8bb5288e853
-
SSDEEP
196608:A+6eX8TgXoZsXFo5C1o+eE59b5zBXVnTRW:A+PY2aI/v7bV
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/5112-9-0x0000000006090000-0x00000000062A4000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cszChebCbH\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\cszChebCbH" mapper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VRThook Spoofer.exe -
Executes dropped EXE 1 IoCs
pid Process 3340 mapper.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mapper.exe VRThook Spoofer.exe File created C:\Windows\driver.sys VRThook Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer VRThook Spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion VRThook Spoofer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS VRThook Spoofer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3340 mapper.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5112 VRThook Spoofer.exe Token: SeLoadDriverPrivilege 3340 mapper.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5112 wrote to memory of 2416 5112 VRThook Spoofer.exe 99 PID 5112 wrote to memory of 2416 5112 VRThook Spoofer.exe 99 PID 5112 wrote to memory of 2416 5112 VRThook Spoofer.exe 99 PID 2416 wrote to memory of 3340 2416 cmd.exe 101 PID 2416 wrote to memory of 3340 2416 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\VRThook Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\VRThook Spoofer.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\mapper.exe C:\Windows\driver.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\mapper.exeC:\Windows\mapper.exe C:\Windows\driver.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD500047e72bb99132267a4bec3158917a2
SHA1caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e
SHA256e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
SHA5127f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5