Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe
Resource
win10v2004-20240226-en
General
-
Target
Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe
-
Size
2.0MB
-
MD5
d81b4a2a5f96fb13ba259a1fae296ace
-
SHA1
ba47840dfff065356f10a05464c75c6a4cb70b7a
-
SHA256
c685ab98e1910af3a51286a6d68d706e2a7be5298f74c061f98b9e87e290d357
-
SHA512
586908b31e61657f9f55b914f5b3a5b232ea1d1219025d2765a8d5f5bf35aa127d610d82c597bc38ddc8d69167179f068949a72ae28ab2f9732f0b2f76ba7bb8
-
SSDEEP
24576:kynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52tOXuq01dKqOFCBvx1prO:VjN3CdJ81nEQhs30eruqsrOFCBbprO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
BTwcMq@2 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Zamwnr90016288247ZNG1406MG2024004782922.pdf.exedescription pid process target process PID 4900 set thread context of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid process 560 AddInProcess32.exe 560 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AddInProcess32.exedescription pid process Token: SeDebugPrivilege 560 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Zamwnr90016288247ZNG1406MG2024004782922.pdf.exedescription pid process target process PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe PID 4900 wrote to memory of 560 4900 Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Zamwnr90016288247ZNG1406MG2024004782922.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3972