agenttesla | 783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06

Analysis

max time kernel
257s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe
Size

321KB
MD5

bf32f23a87b64a238e5050844edec9b7
SHA1

c0a83fef7da08a4dc99d510b9d55aad00e4e549e
SHA256

783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
SHA512

a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621
SSDEEP

6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

oyebl.exeoyebl.exe

pid process

4436 oyebl.exe
1152 oyebl.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

oyebl.exe

description pid process target process

PID 4436 set thread context of 1152 4436 oyebl.exe oyebl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

oyebl.exe

pid process

4436 oyebl.exe

pid	process
4436	oyebl.exe
1152	oyebl.exe

description	pid	process	target process
PID 4436 set thread context of 1152	4436	oyebl.exe	oyebl.exe

pid	process
4436	oyebl.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exeoyebl.exe

description	pid	process	target process
PID 3068 wrote to memory of 4436	3068	783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe	oyebl.exe
PID 3068 wrote to memory of 4436	3068	783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe	oyebl.exe
PID 3068 wrote to memory of 4436	3068	783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe	oyebl.exe
PID 4436 wrote to memory of 1152	4436	oyebl.exe	oyebl.exe
PID 4436 wrote to memory of 1152	4436	oyebl.exe	oyebl.exe
PID 4436 wrote to memory of 1152	4436	oyebl.exe	oyebl.exe
PID 4436 wrote to memory of 1152	4436	oyebl.exe	oyebl.exe

C:\Users\Admin\AppData\Local\Temp\783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe
"C:\Users\Admin\AppData\Local\Temp\783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\oyebl.exe
"C:\Users\Admin\AppData\Local\Temp\oyebl.exe" C:\Users\Admin\AppData\Local\Temp\sgmkaicy.x
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\oyebl.exe
"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"
3⤵
- Executes dropped EXE
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lixcyeorwp.el
Filesize
296KB

MD5
b253d8e7b87314619febf5253abb45f8

SHA1
adfb8fb23845640ac1cd2fd7520beca95724b9f2

SHA256
cb43adfde012bc9b15cd637e76d42fdc2bea8676daf1c05ad308d2a65179beab

SHA512
3f19dbf4c461f8cd841726b899d39e01ad3d01873726e139b6c9771879b66907772d59f8bb63ba72b8c2f479cda4fe94cf0782c73f764e63668ba2d9c9d52478

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyebl.exe
Filesize
100KB

MD5
5701d2a664caa35762c2b5410fffb414

SHA1
1ab89bbcaca22fabad6262056ce4f9871cba12ac

SHA256
9bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e

SHA512
aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyebl.exe
Filesize
100KB

MD5
5701d2a664caa35762c2b5410fffb414

SHA1
1ab89bbcaca22fabad6262056ce4f9871cba12ac

SHA256
9bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e

SHA512
aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyebl.exe
Filesize
100KB

MD5
5701d2a664caa35762c2b5410fffb414

SHA1
1ab89bbcaca22fabad6262056ce4f9871cba12ac

SHA256
9bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e

SHA512
aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgmkaicy.x
Filesize
5KB

MD5
9afd4c9ed4a3fbde0922c5cb00b37ead

SHA1
22e96397cf4177df8cd71b85baf8745d39422816

SHA256
262be4bfa9e3bb6de52ff002f7c38177e711d58b9c86d0e1dcd8b52410124d52

SHA512
ef4c6c3bf42aa40f24097214d261aefd28eb888d93c4c0ac2b0f8f2121eb0e0e429fea72cec7cd79c453332715dea932c29baed9dcc40fe0a9d65a9fdc45a67d

Download Submit
memory/1152-137-0x0000000000000000-mapping.dmp

Download
memory/1152-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1152-140-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/4436-132-0x0000000000000000-mapping.dmp

Download