Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 04:07
Static task
static1
Behavioral task
behavioral1
Sample
PO OAU_NOVQTRFA00541·PDF.scr
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO OAU_NOVQTRFA00541·PDF.scr
Resource
win10v2004-20231127-en
General
-
Target
PO OAU_NOVQTRFA00541·PDF.scr
-
Size
813KB
-
MD5
01117545c435423593adf192c6361730
-
SHA1
8bfbf242a8980921ebf82f8a1bd64c9313b9715d
-
SHA256
b1408013b2aafe2fdfc5a240945fce0d2b784862b8343d8297afbf031d02dd33
-
SHA512
b0c7b610bee518cc520226f23594464a32d166e98959b46c45989a583f78b5b8d3670b1309e632e967e79ed5d8267ee639da49f0b024e5a40c6dc03c129768cf
-
SSDEEP
12288:eiJUgNlYQginsOnNPkoJlVD5aPI7r4krvby:euUgNldnJhFJl/iI7frvby
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
breijhyswzsjmyqd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO OAU_NOVQTRFA00541·PDF.scrdescription pid process target process PID 4316 set thread context of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3484 4024 WerFault.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aspnet_compiler.exepid process 4024 aspnet_compiler.exe 4024 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aspnet_compiler.exedescription pid process Token: SeDebugPrivilege 4024 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PO OAU_NOVQTRFA00541·PDF.scrdescription pid process target process PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe PID 4316 wrote to memory of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr"C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 14043⤵
- Program crash
PID:3484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4024 -ip 40241⤵PID:732