Overview

overview

10

Static

static

7

SpyderCrypter.exe

windows7-x64

10

SpyderCrypter.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SpyderCrypter.exe

  • Size

    4.8MB

  • MD5

    b3fb79184d1097420fb68b0240df9660

  • SHA1

    60fcb2b85867b247bb5c622f121e4ab208c7da9c

  • SHA256

    8babb9a5318d0b2fa43d6c18e91a23a70de547243db91f866e50bb2ff1b7db8b

  • SHA512

    130ecef6b8d4418784dafa341277b214693c0d1849e6cf04a87193eb413b3ae0cef7eeb3124494a8bca33ffb2d1b27f875adeadbae1aea3d2ff767710471807e

  • SSDEEP

    98304:FYh322d2m5YhkvxW/gGfoq8Np9qAX7z3z9CW6dwFdkyRYq/:FYhGy2tqvpoT8NvzJTp/

Score
10/10
agenttesladefense_evasiondiscoveryevasionkeyloggerspywarestealerthemidatrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\SpyderCrypter.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe
      "C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:4680
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C computerdefaults.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\SysWOW64\ComputerDefaults.exe
          computerdefaults.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Windows\SysWOW64\wscript.exe
            "wscript.exe" C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:68
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC ONLOGON /TN BraveUpdateScheduler_QMyk9gHxWJYAojiqe050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\QMyk9gHxWJYAojiqe050MX.exe" /RL HIGHEST /IT
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 2292
        3⤵
        • Program crash
        PID:2700
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
    1⤵
      PID:2128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SpyderResources.exe
      Filesize

      11KB

      MD5

      cc132ca7e1cf77db1a3e737260fcf14b

      SHA1

      f6058656d44e95c23071251b278bc779a88083da

      SHA256

      4c62d4e150f91dc3fdd1f29c955763c52f357045b1a2edf98ac272631dfdb210

      SHA512

      52e64fdf7acf08525ddb352b0dd0b6ca3df8d8f13fa09dcd31c270c4e2040f2361c04ba56915cd05539f581df712562537239fbc942131cc725502af6d010fee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jackpear63605335.vbs
      Filesize

      171B

      MD5

      a34267102c21aff46aecc85598924544

      SHA1

      77268af47c6a4b9c6be7f7487b2c9b233d49d435

      SHA256

      eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

      SHA512

      5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

      Download Submit

    • memory/2616-16-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-7-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-2-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-5-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-44-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-6-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-10-0x0000000000F70000-0x000000000197C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/2616-11-0x0000000000F70000-0x000000000197C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/2616-12-0x0000000006C20000-0x00000000071C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2616-13-0x0000000006370000-0x0000000006402000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2616-14-0x0000000006300000-0x000000000630A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2616-42-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-0-0x0000000000F70000-0x000000000197C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/2616-17-0x0000000007BA0000-0x0000000007C50000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2616-3-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-4-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-15-0x0000000006770000-0x0000000006984000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2616-37-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-36-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2616-35-0x0000000075B90000-0x0000000075B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-1-0x0000000075B90000-0x0000000075B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-32-0x0000000000F70000-0x000000000197C000-memory.dmp

      Filesize

      10.0MB

      Download

    • memory/2616-38-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3840-29-0x0000000000C60000-0x0000000000C6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3840-30-0x0000000002790000-0x00000000027AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3840-34-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3840-41-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3840-33-0x0000000075B70000-0x0000000075C60000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3840-31-0x0000000000F20000-0x0000000000F2A000-memory.dmp

      Filesize

      40KB

      Download