Analysis
-
max time kernel
194s -
max time network
248s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 12:48
Static task
static1
Behavioral task
behavioral1
Sample
bf32f23a87b64a238e5050844edec9b7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bf32f23a87b64a238e5050844edec9b7.exe
Resource
win10v2004-20220812-en
General
-
Target
bf32f23a87b64a238e5050844edec9b7.exe
-
Size
321KB
-
MD5
bf32f23a87b64a238e5050844edec9b7
-
SHA1
c0a83fef7da08a4dc99d510b9d55aad00e4e549e
-
SHA256
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
-
SHA512
a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621
-
SSDEEP
6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5655543251:AAF6zs8TWZ5wmyQhXrUZEpQjh6VaOy-aYoQ/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 4 IoCs
Processes:
oyebl.exeoyebl.exeoyebl.exeoyebl.exepid process 1384 oyebl.exe 788 oyebl.exe 548 oyebl.exe 108 oyebl.exe -
Loads dropped DLL 4 IoCs
Processes:
bf32f23a87b64a238e5050844edec9b7.exeoyebl.exepid process 836 bf32f23a87b64a238e5050844edec9b7.exe 1384 oyebl.exe 1384 oyebl.exe 1384 oyebl.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
oyebl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ethjtred = "C:\\Users\\Admin\\AppData\\Roaming\\ethjtred\\ethjtred.exe" oyebl.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oyebl.exedescription pid process target process PID 1384 set thread context of 108 1384 oyebl.exe oyebl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
oyebl.exepid process 108 oyebl.exe 108 oyebl.exe 108 oyebl.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
oyebl.exepid process 1384 oyebl.exe 1384 oyebl.exe 1384 oyebl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
oyebl.exedescription pid process Token: SeDebugPrivilege 108 oyebl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
oyebl.exepid process 108 oyebl.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bf32f23a87b64a238e5050844edec9b7.exeoyebl.exedescription pid process target process PID 836 wrote to memory of 1384 836 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 836 wrote to memory of 1384 836 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 836 wrote to memory of 1384 836 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 836 wrote to memory of 1384 836 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 1384 wrote to memory of 788 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 788 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 788 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 788 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 548 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 548 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 548 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 548 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 108 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 108 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 108 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 108 1384 oyebl.exe oyebl.exe PID 1384 wrote to memory of 108 1384 oyebl.exe oyebl.exe -
outlook_office_path 1 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe -
outlook_win_path 1 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf32f23a87b64a238e5050844edec9b7.exe"C:\Users\Admin\AppData\Local\Temp\bf32f23a87b64a238e5050844edec9b7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe" C:\Users\Admin\AppData\Local\Temp\sgmkaicy.x2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
PID:788 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lixcyeorwp.elFilesize
296KB
MD5b253d8e7b87314619febf5253abb45f8
SHA1adfb8fb23845640ac1cd2fd7520beca95724b9f2
SHA256cb43adfde012bc9b15cd637e76d42fdc2bea8676daf1c05ad308d2a65179beab
SHA5123f19dbf4c461f8cd841726b899d39e01ad3d01873726e139b6c9771879b66907772d59f8bb63ba72b8c2f479cda4fe94cf0782c73f764e63668ba2d9c9d52478
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\sgmkaicy.xFilesize
5KB
MD59afd4c9ed4a3fbde0922c5cb00b37ead
SHA122e96397cf4177df8cd71b85baf8745d39422816
SHA256262be4bfa9e3bb6de52ff002f7c38177e711d58b9c86d0e1dcd8b52410124d52
SHA512ef4c6c3bf42aa40f24097214d261aefd28eb888d93c4c0ac2b0f8f2121eb0e0e429fea72cec7cd79c453332715dea932c29baed9dcc40fe0a9d65a9fdc45a67d
-
\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
memory/108-67-0x0000000000401896-mapping.dmp
-
memory/108-70-0x0000000000350000-0x000000000038C000-memory.dmpFilesize
240KB
-
memory/108-71-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/836-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1384-56-0x0000000000000000-mapping.dmp