Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 19:12
Static task
static1
Behavioral task
behavioral1
Sample
PO3452302659 pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PO3452302659 pdf.exe
Resource
win10v2004-20231215-en
General
-
Target
PO3452302659 pdf.exe
-
Size
1.5MB
-
MD5
fae4e4923fdb5a9079e873477bf92911
-
SHA1
99dea9162447750cdd502fc0eb16f2ca7c54ea33
-
SHA256
fa248ec2c76556f7e9c71cc5979bea9f3cce8f565a44398b0e7fae3005f0b13a
-
SHA512
126f372bc4431ad7a899f85c2f1f6d095966ed1eba8fc4cf3e6166514eb03a538bc6c29eae675330c811f6b62f2cb3cc17af1d6fbc8085ff84a6e7743efd8836
-
SSDEEP
24576:iWaS+JEfphxW553sSntC6s+6qbU0saooQaPSMdLAWqY8fWFEIJ3VUPvymws5IgZs:eS+axysYC6syUkoPaPS2AJNyxUP+Mk
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
qualite77
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
qualite77 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO3452302659 pdf.exedescription pid process target process PID 4772 set thread context of 4324 4772 PO3452302659 pdf.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 4324 CasPol.exe 4324 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO3452302659 pdf.exeCasPol.exedescription pid process Token: SeDebugPrivilege 4772 PO3452302659 pdf.exe Token: SeDebugPrivilege 4324 CasPol.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PO3452302659 pdf.exedescription pid process target process PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe PID 4772 wrote to memory of 4324 4772 PO3452302659 pdf.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO3452302659 pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO3452302659 pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324