agenttesla | aed6a5da30700be3079cb9f16447e289967740499f1acce297010fe8585b1add

Analysis

max time kernel
54s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatoSpoofer.exe
Size

31.7MB
MD5

d55cc4db0fc8dbffe183f78205ec03fa
SHA1

f02664f6276a1b88ecb14efb4e7c7d9b0747c7d6
SHA256

a3c5ad53ca0367b79c56cb0dc0c42484b9a4e7fa77290ca6ec233f94cacf1e8b
SHA512

b26aaae019111d5e23fb293de30380646770dcd31e146edfaff37904f5dc78ac2504050d647d4f212ad42f14a9193a7dc6ef7171f30f356b023fd129e94ec251
SSDEEP

786432:0lH0ByeGkm9QxG774aXrKE/Awx7PL/PlTe0P98qtyXU:s6yesGWnbK5EPL/PlCk60q

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-64-0x00000224AFC70000-0x00000224AFE66000-memory.dmp	family_agenttesla

Loads dropped DLL 2 IoCs

Processes:

CheatoSpoofer.exeCheatoSpoofer.exe

pid process

2376 CheatoSpoofer.exe
4852 CheatoSpoofer.exe

Obfuscated with Agile.Net obfuscator 15 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2376-7-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-8-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-11-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-12-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-13-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-16-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-55-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-81-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/2376-88-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-91-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-92-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-93-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-94-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-95-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net
behavioral1/memory/4852-109-0x0000000000CE0000-0x00000000056D2000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

CheatoSpoofer.exeCheatoSpoofer.exe

pid process

2376 CheatoSpoofer.exe
2376 CheatoSpoofer.exe
2376 CheatoSpoofer.exe
2376 CheatoSpoofer.exe
4852 CheatoSpoofer.exe
4852 CheatoSpoofer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

CheatoSpoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	CheatoSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	CheatoSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	CheatoSpoofer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CheatoSpoofer.exe

pid	process
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe
2376	CheatoSpoofer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

CheatoSpoofer.exeCheatoSpoofer.exe

description	pid	process
Token: SeDebugPrivilege	2376	CheatoSpoofer.exe
Token: SeSystemEnvironmentPrivilege	2376	CheatoSpoofer.exe
Token: SeSecurityPrivilege	2376	CheatoSpoofer.exe
Token: SeTakeOwnershipPrivilege	2376	CheatoSpoofer.exe
Token: SeBackupPrivilege	2376	CheatoSpoofer.exe
Token: SeRestorePrivilege	2376	CheatoSpoofer.exe
Token: SeShutdownPrivilege	2376	CheatoSpoofer.exe
Token: SeDebugPrivilege	2376	CheatoSpoofer.exe
Token: SeAuditPrivilege	2376	CheatoSpoofer.exe
Token: SeSystemEnvironmentPrivilege	2376	CheatoSpoofer.exe
Token: SeManageVolumePrivilege	2376	CheatoSpoofer.exe
Token: SeImpersonatePrivilege	2376	CheatoSpoofer.exe
Token: SeDebugPrivilege	4852	CheatoSpoofer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CheatoSpoofer.exe

pid process

2376 CheatoSpoofer.exe
2376 CheatoSpoofer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CheatoSpoofer.exe

pid process

4852 CheatoSpoofer.exe

pid	process
4852	CheatoSpoofer.exe

C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sentry\9588CF3ABD7EF58A0A76612B90AB4AC3D3B45E66\.installation
Filesize
36B

MD5
8c46bfd1fed4adb3269ad93f94363942

SHA1
f1e103436396974d9544689ca0cd0d07c419e419

SHA256
18af4b5d8e0543216edef9410bf5173cb75ba7c3d01e0752e5dca6519ecb9245

SHA512
b109c9307cd9b956398f23e52025eb880d176f08bfadfd7f39f856cd445bb0c7e652566bfd03f868d339cbe4ff9156284d1db3b9623fe0e45e2adb91d8aaa55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\1E86214F0E241413D5D58494E90760E9\64\user64.dll
Filesize
226KB

MD5
519f34494d7484d85ecfad85f23bac05

SHA1
8f1be6ce8501ca1def6d02fde760d48169677bc5

SHA256
1f7a51dd23092e70b8e323c86229de242568ffc7d27271aaf88d051662ba32f9

SHA512
d9e34321e6d32c5da664200bb5609bb2d19fcd44d36f8109e7ad2e44b5dbf1cb46e3d5b8c529d90f051e6f4cc2891301f213c9d3faac8fc4a0f3b0b8d9a3f81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bhnbofi.jdp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2376-0-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-2-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-1-0x00007FFB408B0000-0x00007FFB408B1000-memory.dmp

Filesize
4KB

Download
memory/2376-3-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-4-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-5-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-6-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-9-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-10-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-7-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-8-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-11-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-12-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-15-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-14-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-13-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-16-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-18-0x0000022495700000-0x000002249573E000-memory.dmp

Filesize
248KB

Download
memory/2376-25-0x0000022495750000-0x0000022495758000-memory.dmp

Filesize
32KB

Download
memory/2376-26-0x00000224AE1B0000-0x00000224AE1B8000-memory.dmp

Filesize
32KB

Download
memory/2376-24-0x00000224AF2E0000-0x00000224AF374000-memory.dmp

Filesize
592KB

Download
memory/2376-23-0x00000224AE160000-0x00000224AE198000-memory.dmp

Filesize
224KB

Download
memory/2376-30-0x00000224AF380000-0x00000224AF38A000-memory.dmp

Filesize
40KB

Download
memory/2376-29-0x00000224AF370000-0x00000224AF378000-memory.dmp

Filesize
32KB

Download
memory/2376-34-0x00000224AF390000-0x00000224AF398000-memory.dmp

Filesize
32KB

Download
memory/2376-33-0x00000224AE210000-0x00000224AE218000-memory.dmp

Filesize
32KB

Download
memory/2376-32-0x00000224AF4E0000-0x00000224AF506000-memory.dmp

Filesize
152KB

Download
memory/2376-37-0x00000224AF3C0000-0x00000224AF41A000-memory.dmp

Filesize
360KB

Download
memory/2376-39-0x00000224AF430000-0x00000224AF444000-memory.dmp

Filesize
80KB

Download
memory/2376-38-0x00000224AF420000-0x00000224AF42C000-memory.dmp

Filesize
48KB

Download
memory/2376-36-0x00000224AF3A0000-0x00000224AF3C4000-memory.dmp

Filesize
144KB

Download
memory/2376-31-0x00000224AF450000-0x00000224AF464000-memory.dmp

Filesize
80KB

Download
memory/2376-28-0x00000224AE1A0000-0x00000224AE1AA000-memory.dmp

Filesize
40KB

Download
memory/2376-27-0x0000022495740000-0x0000022495748000-memory.dmp

Filesize
32KB

Download
memory/2376-41-0x00000224AF650000-0x00000224AF702000-memory.dmp

Filesize
712KB

Download
memory/2376-44-0x00000224AF740000-0x00000224AF75A000-memory.dmp

Filesize
104KB

Download
memory/2376-43-0x00000224AF700000-0x00000224AF71A000-memory.dmp

Filesize
104KB

Download
memory/2376-45-0x00000224AF7A0000-0x00000224AF7C2000-memory.dmp

Filesize
136KB

Download
memory/2376-42-0x00000224AF4D0000-0x00000224AF4DE000-memory.dmp

Filesize
56KB

Download
memory/2376-40-0x00000224AF480000-0x00000224AF4C8000-memory.dmp

Filesize
288KB

Download
memory/2376-56-0x00000224946C0000-0x00000224946C8000-memory.dmp

Filesize
32KB

Download
memory/2376-55-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-57-0x00000224AF910000-0x00000224AF942000-memory.dmp

Filesize
200KB

Download
memory/2376-58-0x00000224AF9A0000-0x00000224AFA16000-memory.dmp

Filesize
472KB

Download
memory/2376-60-0x00000224AF940000-0x00000224AF972000-memory.dmp

Filesize
200KB

Download
memory/2376-59-0x00000224AF8F0000-0x00000224AF908000-memory.dmp

Filesize
96KB

Download
memory/2376-62-0x00000224AF980000-0x00000224AF98A000-memory.dmp

Filesize
40KB

Download
memory/2376-61-0x00000224AF970000-0x00000224AF978000-memory.dmp

Filesize
32KB

Download
memory/2376-63-0x00000224AFBB0000-0x00000224AFC74000-memory.dmp

Filesize
784KB

Download
memory/2376-64-0x00000224AFC70000-0x00000224AFE66000-memory.dmp

Filesize
2.0MB

Download
memory/2376-65-0x00000224B0D50000-0x00000224B0DCE000-memory.dmp

Filesize
504KB

Download
memory/2376-66-0x00000224B0DD0000-0x00000224B0F1E000-memory.dmp

Filesize
1.3MB

Download
memory/2376-67-0x00000224B0060000-0x00000224B0074000-memory.dmp

Filesize
80KB

Download
memory/2376-68-0x00000224B2280000-0x00000224B244E000-memory.dmp

Filesize
1.8MB

Download
memory/2376-69-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-72-0x00000224B3780000-0x00000224B379A000-memory.dmp

Filesize
104KB

Download
memory/2376-71-0x00000224B3770000-0x00000224B3778000-memory.dmp

Filesize
32KB

Download
memory/2376-70-0x00000224B3750000-0x00000224B375E000-memory.dmp

Filesize
56KB

Download
memory/2376-75-0x00000224B37D0000-0x00000224B37D6000-memory.dmp

Filesize
24KB

Download
memory/2376-76-0x00000224B37E0000-0x00000224B37E8000-memory.dmp

Filesize
32KB

Download
memory/2376-74-0x00000224B37C0000-0x00000224B37CA000-memory.dmp

Filesize
40KB

Download
memory/2376-73-0x00000224B37B0000-0x00000224B37B6000-memory.dmp

Filesize
24KB

Download
memory/2376-77-0x00000224B37F0000-0x00000224B3850000-memory.dmp

Filesize
384KB

Download
memory/2376-80-0x00000224B3860000-0x00000224B3874000-memory.dmp

Filesize
80KB

Download
memory/2376-79-0x00000224B3850000-0x00000224B385C000-memory.dmp

Filesize
48KB

Download
memory/2376-78-0x00000224B3B40000-0x00000224B3C98000-memory.dmp

Filesize
1.3MB

Download
memory/2376-83-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-81-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/2376-85-0x00000224B00D0000-0x00000224B00E4000-memory.dmp

Filesize
80KB

Download
memory/2376-87-0x00000224B00F0000-0x00000224B010E000-memory.dmp

Filesize
120KB

Download
memory/2376-86-0x00000224B00E0000-0x00000224B00EE000-memory.dmp

Filesize
56KB

Download
memory/2376-84-0x00000224B00C0000-0x00000224B00CA000-memory.dmp

Filesize
40KB

Download
memory/2376-90-0x00007FFB40810000-0x00007FFB40A05000-memory.dmp

Filesize
2.0MB

Download
memory/2376-88-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-91-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-92-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-93-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-94-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-95-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-110-0x000001B69F270000-0x000001B69F278000-memory.dmp

Filesize
32KB

Download
memory/4852-109-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download
memory/4852-111-0x0000000000CE0000-0x00000000056D2000-memory.dmp

Filesize
73.9MB

Download