agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

CipherWare Spoofer 04-29.rar
Size

11.4MB
Sample

240611-nf245svdph
MD5

353b77804e6ee0c1282787dbd8a99874
SHA1

ddb2d691e9691b92f15534f0f975f67a1a787ee2
SHA256

9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf
SHA512

a19b7f24f91f735110d37378006364c2acd6d36330dc0e8c47fd3f1f3e24abc4f423d4c928ac5018fa850b4723d75dfdd7d8d67989289a6338242bf51f6f2867
SSDEEP

196608:VUROe2gz2r4PGL4kyuE4oeFP5wZ4XG67nmxSwPJ2MfoFhAr5DK18LKuD157wb:W2gze4uL4zG3w+znwRhobArN7Bab

Score

10^/10

Malware Config

Targets

- Target
  
  CipherWare Spoofer 04-29.rar
- Size
  
  11.4MB
- MD5
  
  353b77804e6ee0c1282787dbd8a99874
- SHA1
  
  ddb2d691e9691b92f15534f0f975f67a1a787ee2
- SHA256
  
  9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf
- SHA512
  
  a19b7f24f91f735110d37378006364c2acd6d36330dc0e8c47fd3f1f3e24abc4f423d4c928ac5018fa850b4723d75dfdd7d8d67989289a6338242bf51f6f2867
- SSDEEP
  
  196608:VUROe2gz2r4PGL4kyuE4oeFP5wZ4XG67nmxSwPJ2MfoFhAr5DK18LKuD157wb:W2gze4uL4zG3w+znwRhobArN7Bab
Score

3^/10
behavioral1 behavioral2
- Target
  
  CipherWare Spoofer 04-29/Instructions.txt
- Size
  
  1KB
- MD5
  
  471ae022b1d850bcda15be9d3bf391df
- SHA1
  
  f5833546d0a263ec0089cd92c6aa3be9bbd0e566
- SHA256
  
  0fdea98c7cdeced3e08d3db43aa8bd33e393f39b6b6b7c2e743dd3b55504ab29
- SHA512
  
  a6568b51f80ba4a0b39752bef9b8570056e81e6cbe2fb7a1f67892777869ca6a758eea215762100490037c4812cb1e6dbe0f47aabc1c08946b4966d1b84c30a1
Score

1^/10
behavioral3 behavioral4
- Target
  
  CipherWare Spoofer 04-29/Requirements/Defender Control/Defender Control.exe
- Size
  
  447KB
- MD5
  
  58008524a6473bdf86c1040a9a9e39c3
- SHA1
  
  cb704d2e8df80fd3500a5b817966dc262d80ddb8
- SHA256
  
  1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- SHA512
  
  8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
- SSDEEP
  
  6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral5 behavioral6
- Target
  
  out.upx
- Size
  
  653KB
- MD5
  
  6970ea0b6597dcd5b4f5f19f28e958a8
- SHA1
  
  a0130bb7ac03ec4799c90781ca93fd1392c6d54c
- SHA256
  
  481e03978ca339ce697252895efe89b09fefd3098ad247d24eeb6cca9969f553
- SHA512
  
  bc95cbe9a050e3d3b713745ef399bf2817d38f8e019f6edffdd2bf755badbde766e434e39a7f32356125bba0692b694c18da8dd0762aac0c9430d45acb215e01
- SSDEEP
  
  12288:nkxDoouVA2nxKkhEvdRgQriDJOIlW+yBGQowlNCWS:RRmJkioQrilOIc+yMx
Score

1^/10
behavioral7 behavioral8
- Target
  
  CipherWare Spoofer 04-29/Requirements/Defender Control/Defender_Settings.vbs
- Size
  
  313B
- MD5
  
  b0bf0a477bcca312021177572311e666
- SHA1
  
  ea77332d7779938ae8e92ad35d6dea4f4be37a92
- SHA256
  
  af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
- SHA512
  
  09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score

3^/10
behavioral10 behavioral9
- Target
  
  CipherWare Spoofer 04-29/Requirements/Defender Control/dControl.ini
- Size
  
  85KB
- MD5
  
  05450ff06366ae22654b63a6e27d1624
- SHA1
  
  11453c370f41287fb6339e509bb9d3c91842b379
- SHA256
  
  8e9a84da243905685ca77b6ef71841e610b88b7963d4de59f6dcbdd1621ecacd
- SHA512
  
  ee0a9605b566aa89c8c9b260e1d9c15aecbd6cddc2df47fe24ef2cafbe8923b3e025bd5cd3d34499292589a3c094dd796ab4560c8099bad2051a54928c37b4b2
- SSDEEP
  
  768:i/G+NmPfjsxaxdk2akexodULxEQq1wIgC+AEbSr6:1+NyjsxkKdkJdULgbWSO
Score

1^/10
behavioral11 behavioral12
- Target
  
  CipherWare Spoofer 04-29/Requirements/DirectX End-User Runtime.url
- Size
  
  149B
- MD5
  
  6be6a35a2429c11aed6a971fde50409f
- SHA1
  
  bab3b7812a4e8415039cf968e172f346c1a38b53
- SHA256
  
  465f8c2b16cfa0f27d6bc39ecda3e7b2c758e2ff19a776246ab48bd328b88875
- SHA512
  
  b3cb8d43257ae15429147337ffcea247e6241f2cbd5fb0f92d4f5ab7c0e8e6e8bc6087413e116c7f0a2dc9162e55362ed10f2aa778c0b998cdbb4ad58ca18e65
Score

1^/10
behavioral13 behavioral14
- Target
  
  CipherWare Spoofer 04-29/Requirements/Disable IPv6 First/1.png
- Size
  
  8KB
- MD5
  
  f4c0cb1da948ef49e9ab9f15e5dcc51b
- SHA1
  
  b6754d4ce40407e5b0a086bf7ed045795dfe25f2
- SHA256
  
  0b366bea05f699f0f5214f73abd3969cb3551042c8dce43c5abdac94a7af376c
- SHA512
  
  1b466df05fc916001b826fa511184323fa5d8e82dce0b15b1e1f3829f77c60b8483dea87f56cb79953451a21b47d5b0b2624c357e2b6ceb73e0fb54c8feb11b7
- SSDEEP
  
  192:6+beQ6CjISLDW5XJeF1SQUBFGLrrkAEfi5HYPAv8oKB5:6+qQwSaAUurkNiZEzn
Score

3^/10
behavioral15 behavioral16
- Target
  
  CipherWare Spoofer 04-29/Requirements/Disable IPv6 First/2.png
- Size
  
  31KB
- MD5
  
  73d5f10f883fd1cdbfd29d63f16f85f6
- SHA1
  
  a3632b466ece0ee05abb3c85a4817cbcf19cbff9
- SHA256
  
  40b4c8011b95df55741388b06110ca0cf56a40bc46a52ddf86a04d7b5180a2d7
- SHA512
  
  19a722ccd463d14196ab5b1ef86da7d91146a29f26681ca2bfa9c9801ed234c7a28a5bc6af20c6a021a9937a86eba7707c5fe48e4e7093f743d716605947f0a0
- SSDEEP
  
  768:nqN/lG/2f8HcPahSfqGPX9A5GkzpPRTpwFLa1JXm:nqNtGu5ahSqYXm7RpmLaa
Score

3^/10
behavioral17 behavioral18
- Target
  
  CipherWare Spoofer 04-29/Requirements/Disable IPv6 First/3.png
- Size
  
  51KB
- MD5
  
  f8d73f45036054f4d5e7d2cc4c16a51d
- SHA1
  
  a24840bef7e4dea01bf16dffea357adec7b65c20
- SHA256
  
  d4f4094b0b2e2a66f5d60b35b661986fe6a8954673edae0c8ecd2c4cae9006c7
- SHA512
  
  e97074c62fe53d35367183554bfdbfabaaecd70a2c814a87af4c5cff46b861fb5fab44a524c70054ccec98f3beeb8136e26d843957827e18272dc6775ce0645d
- SSDEEP
  
  768:IRuB90w/KZUmi3EKYDCNBLOBmU4b3HcBrFrMlUecF5xE7J5uDbVGpMX6R4osRfdQ:pNCZUTEBDUFb3HkMlSF/oJTZMbaL
Score

3^/10
behavioral19 behavioral20
- Target
  
  CipherWare Spoofer 04-29/Requirements/Visual C++ Redistributable Runtimes All-in-One.url
- Size
  
  179B
- MD5
  
  6236fc6a33c4f3932921b379209a73f7
- SHA1
  
  059580fd5b36df55ef0d38a3c61a40f6574a4789
- SHA256
  
  30ba4f2828ed80f36c0d4d253d7b9990ea57b354283262792140ea85b3d08024
- SHA512
  
  a83645a156ae4a6d9509d6b5299ba9895090fb63b9005491b8a93c9e29dc313c193d07bf50c34ad378488a1e7718e0d8ecb2d9a48b8cc5209992dc8537472338
Score

1^/10
behavioral21 behavioral22
- Target
  
  CipherWare Spoofer 04-29/Requirements/Windows Update Blocker/Windows Update Blocker x32.exe
- Size
  
  791KB
- MD5
  
  82aff8883099cf75462057c4e47e88ac
- SHA1
  
  68e2939f59b3869e9bd3ecc4aca3947649631bf8
- SHA256
  
  aac1123f17f8569a36bf93876cea30e15103fd2379b401a79129a2a6e7285ac2
- SHA512
  
  212ac940a1f8bdd805813c279d471efc53b858bc35c5edad182dfde3c29c37854618a507a0a0839e5a383d1ba4fe317c0b3c8275d023c86ecfa36f221560b96d
- SSDEEP
  
  12288:ZaWzgMg7v3qnCiWErQohh0F4YCJ8lnyTQrv2HzAMI3u18:4aHMv6CWrj8nyTQrv2TAMI3ua
Score

3^/10
behavioral23 behavioral24
- Target
  
  CipherWare Spoofer 04-29/Requirements/Windows Update Blocker/Windows Update Blocker x64.exe
- Size
  
  939KB
- MD5
  
  9d6778f7f274f7ecd4e7e875a7268b64
- SHA1
  
  452fa439f1cc0b9fcc37cf4b8cfff96e8cc348aa
- SHA256
  
  187eeee9e518011de1b87cfb0ed03e12ea551e9011f0c8defdd0e4535e672da2
- SHA512
  
  d51df55a5f903ec624550e847459bfa52fb19e892a58fe2de41251d9d98890b36f26a4950ad75f900de0311b5330066aaece11ec5e549d5b3867a61a344e0b87
- SSDEEP
  
  24576:12DW/xbqX2YIbzQsu3/PNLIQFHyBvGThpZY9:12EmXGQsW/PN0QNlZI
Score

3^/10
behavioral25 behavioral26
- Target
  
  CipherWare Spoofer 04-29/Requirements/Windows Update Blocker/Wub.ini
- Size
  
  97KB
- MD5
  
  a16bf55cd2ef7d9e56565b0ed1aa208a
- SHA1
  
  19edddaa24f73d9d01150babd58b1bcc0ff5d849
- SHA256
  
  30eb977d58106050818626b9b556a3badc7b7d012462903120a0663987c74c0b
- SHA512
  
  ab87d94620b0d77bfa8ff3e721bbb68a28185245b173be7b62195588e2a3b3d3a9ee085497300c14876118dff4edca7fea202328f3156a76c53f786b8d5b6118
- SSDEEP
  
  3072:/sRhs8Y6aeg3r3wgjkyIFJ6QT3yc8Bi3r/ZpHG:xqJ6T
Score

1^/10
behavioral27 behavioral28
- Target
  
  CipherWare Spoofer 04-29/Spoofer.exe
- Size
  
  5.9MB
- MD5
  
  482183f599a399384629aa7deb145b2e
- SHA1
  
  252c735e209efea8f92dafe4c50aea95f60915f2
- SHA256
  
  c941f6995ef56ab0fa76f5c604c134e86b5df21b45284e78669f3074be2473e7
- SHA512
  
  72eb143ae229041b9d3cd219df7cc54138c9f99f81409a825cdc9741b0483cf4dabfe7b9f410d843263cf665ebc171fbc6168c83ecbb14d123d4a3fe8d565c25
- SSDEEP
  
  98304:RXbIrqdcbu8gacqECpO0zSU8B2lJtc/jXwYUObL4Eyv3ZjmzTm7Sw:VIJbu8jzXyuY0YTf/+jmz5
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
behavioral29 behavioral30
- Target
  
  CipherWare Spoofer 04-29/TPM Bypass.exe
- Size
  
  5.4MB
- MD5
  
  226b0aaa3a81ae166681f1b3c41209f5
- SHA1
  
  1e932f41b49428704d2e1ee5cec08a4e61c7d094
- SHA256
  
  2c4bd49d86851a375e3669ee361e1a786d59765eb7dbaeeddc62f5cb18f1c66d
- SHA512
  
  290ec6a64f3166e516cdcdde28bb99644902598378a18b867e496e0fb821d6597e202d179653353a4da97c1a94f67fed4340e914306a837be85162c0b023a013
- SSDEEP
  
  98304:ZXbIrqkTdrVLNdMJ6Hz7OFBZqSn+m6mB5CxFwHXDty:9IBTdrhMJ6Hz0kSn+WKuHXDty
Score

9^/10

evasion execution trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Targets

UPX packed file

AutoIT Executable

AgentTesla payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Stops running service(s)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks for any installed AV software in registry

Checks whether UAC is enabled

Enumerates connected drives

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32