agenttesla | 82cc4887e303142d81ec7d606de24bfe9d14d3fd2d867759b4c150f502d456ed

General

Target

newanyiorigin.exe
Size

465KB
MD5

93993f994aa01d44877418064b35a6bd
SHA1

12892d6641fd748331d7aede80b660701e0d45a1
SHA256

82cc4887e303142d81ec7d606de24bfe9d14d3fd2d867759b4c150f502d456ed
SHA512

b6b701e8ff658c86937fc696f04aff41cc6d3fef7346b2e62a6465dbcb37e52f693173d45265925b81a5811b651288f632018619c487e3ce03e3adcb63e2f861

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1416-4-0x0000000000000000-mapping.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

844 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

844 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

844 rundll32.exe

pid	process
844	rundll32.exe

pid	process
844	rundll32.exe

pid	process
844	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

newanyiorigin.exerundll32.exe

description	pid	process	target process
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 1164 wrote to memory of 844	1164	newanyiorigin.exe	rundll32.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe
PID 844 wrote to memory of 1416	844	rundll32.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe
"C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe BicornGasohol,Sunhats
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1416

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BicornGasohol.DLL
MD5
ea2f9af237cf9f119f68498727701ae0

SHA1
2e714699ef5e6e766aa91d3b74a254e28c0af48b

SHA256
a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830

SHA512
14c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dynast
MD5
eebb7cc18e6f3f58c587c132e3086850

SHA1
62bcf6e0012e9a70d0e38b74f39a64bf543a3bf7

SHA256
1e48956974b342a00658ea5c3e0a66f3fe458e2fa54f2231d728a0f1d446a9c0

SHA512
35f0d3987c56c63c6dda7eab198a6f8324d1b34a98729fe66ea98b432be045d8699c3f105912d76ac4fa5a3c123bc318d40767b837e7f38db1db0c98e1179eb7

Download Submit
\Users\Admin\AppData\Local\Temp\BicornGasohol.dll
MD5
ea2f9af237cf9f119f68498727701ae0

SHA1
2e714699ef5e6e766aa91d3b74a254e28c0af48b

SHA256
a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830

SHA512
14c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0

Download Submit
memory/844-0-0x0000000000000000-mapping.dmp

Download
memory/1416-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing