Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 04:07
Static task
static1
Behavioral task
behavioral1
Sample
PO OAU_NOVQTRFA00541·PDF.scr
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO OAU_NOVQTRFA00541·PDF.scr
Resource
win10v2004-20231127-en
General
-
Target
PO OAU_NOVQTRFA00541·PDF.scr
-
Size
813KB
-
MD5
01117545c435423593adf192c6361730
-
SHA1
8bfbf242a8980921ebf82f8a1bd64c9313b9715d
-
SHA256
b1408013b2aafe2fdfc5a240945fce0d2b784862b8343d8297afbf031d02dd33
-
SHA512
b0c7b610bee518cc520226f23594464a32d166e98959b46c45989a583f78b5b8d3670b1309e632e967e79ed5d8267ee639da49f0b024e5a40c6dc03c129768cf
-
SSDEEP
12288:eiJUgNlYQginsOnNPkoJlVD5aPI7r4krvby:euUgNldnJhFJl/iI7frvby
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
breijhyswzsjmyqd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO OAU_NOVQTRFA00541·PDF.scrdescription pid process target process PID 2376 set thread context of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aspnet_compiler.exepid process 2524 aspnet_compiler.exe 2524 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2524 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 2524 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO OAU_NOVQTRFA00541·PDF.scrdescription pid process target process PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 2376 wrote to memory of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr"C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2524