Malware Analysis Report

2025-05-05 21:52

Sample ID 221018-m9pv8sfed9
Target COAVegum-pdf.js
SHA256 bdfeaf2f10c5843da5e7a5b5cfefe48f60cd4754d2a331c8c1dfb5c3a90fb7d1
Tags
agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdfeaf2f10c5843da5e7a5b5cfefe48f60cd4754d2a331c8c1dfb5c3a90fb7d1

Threat Level: Known bad

The file COAVegum-pdf.js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

Vjw0rm

AgentTesla

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops startup file

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-18 11:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-18 11:10

Reported

2022-10-18 11:12

Platform

win7-20220812-en

Max time kernel

128s

Max time network

141s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\audio_dg = "C:\\Users\\Admin\\AppData\\Roaming\\audio_dg\\audio_dg.exe" C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js"

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

"C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 server240.web-hosting.com udp
US 199.188.200.15:587 server240.web-hosting.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp

Files

memory/1948-54-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

memory/2020-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js

MD5 e2f132785fa07b0d29a5e94676f06e0b
SHA1 6e8cd782c173a0b145d68a16952e7aa3a5bc26a1
SHA256 844966b61c3a7065a8b313ad25d65dd05ee4440c4b1f609fd0d175c926ce8d85
SHA512 88ad1be03af8ecb549008e095c219848dec04398352fd1c8e7d6e706dbb9642f07fc87b326c56c288a93bc451512f60f8c8f6b250ea1609aa47e02831586dd57

memory/1516-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

MD5 d38c08505b96562261c3920265bb4f97
SHA1 7b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA256 83a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA512 9eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

MD5 d38c08505b96562261c3920265bb4f97
SHA1 7b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA256 83a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA512 9eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8

memory/1516-61-0x0000000000980000-0x00000000009BC000-memory.dmp

memory/1516-62-0x00000000764D1000-0x00000000764D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-18 11:10

Reported

2022-10-18 11:12

Platform

win10v2004-20220901-en

Max time kernel

142s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audio_dg = "C:\\Users\\Admin\\AppData\\Roaming\\audio_dg\\audio_dg.exe" C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js"

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

"C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 server240.web-hosting.com udp
US 199.188.200.15:587 server240.web-hosting.com tcp
US 20.189.173.12:443 tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.238.21.254:80 tcp
US 8.238.21.254:80 tcp
US 8.238.21.254:80 tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp

Files

memory/3140-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js

MD5 e2f132785fa07b0d29a5e94676f06e0b
SHA1 6e8cd782c173a0b145d68a16952e7aa3a5bc26a1
SHA256 844966b61c3a7065a8b313ad25d65dd05ee4440c4b1f609fd0d175c926ce8d85
SHA512 88ad1be03af8ecb549008e095c219848dec04398352fd1c8e7d6e706dbb9642f07fc87b326c56c288a93bc451512f60f8c8f6b250ea1609aa47e02831586dd57

memory/3084-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

MD5 d38c08505b96562261c3920265bb4f97
SHA1 7b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA256 83a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA512 9eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8

C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe

MD5 d38c08505b96562261c3920265bb4f97
SHA1 7b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA256 83a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA512 9eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8

memory/3084-137-0x0000000000320000-0x000000000035C000-memory.dmp

memory/3084-138-0x00000000052F0000-0x0000000005894000-memory.dmp

memory/3084-139-0x0000000004D40000-0x0000000004DDC000-memory.dmp

memory/3084-140-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/3084-141-0x00000000065E0000-0x0000000006630000-memory.dmp

memory/3084-142-0x00000000067D0000-0x0000000006862000-memory.dmp

memory/3084-143-0x0000000006900000-0x000000000690A000-memory.dmp