makeve.exe

General
Target

makeve.exe

Filesize

136KB

Completed

25-03-2020 18:15

Score
10 /10
MD5

9fed11cd0c0bc367b30b08650dfba78f

SHA1

48ef476625cdbc1f74b83841ffc89e4b46615d05

SHA256

c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a

Malware Config

Extracted

Credentials

Protocol: smtp

Host: popeorigin5.pw

Port: 587

Username: sender@popeorigin5.pw

Password: 12345@Plesk

Signatures 8

Filter: none

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Suspicious use of NtSetInformationThreadHideFromDebugger
    makeve.exeRegAsm.exe

    Reported IOCs

    pidprocess
    4064makeve.exe
    3148RegAsm.exe
    3148RegAsm.exe
  • Suspicious use of SetThreadContext
    makeve.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4064 set thread context of 31484064makeve.exeRegAsm.exe
  • Suspicious behavior: EnumeratesProcesses
    RegAsm.exe

    Reported IOCs

    pidprocess
    3148RegAsm.exe
    3148RegAsm.exe
  • Suspicious behavior: MapViewOfSection
    makeve.exe

    Reported IOCs

    pidprocess
    4064makeve.exe
  • Suspicious use of AdjustPrivilegeToken
    RegAsm.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3148RegAsm.exe
  • Suspicious use of SetWindowsHookEx
    makeve.exe

    Reported IOCs

    pidprocess
    4064makeve.exe
  • Suspicious use of WriteProcessMemory
    makeve.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4064 wrote to memory of 31484064makeve.exeRegAsm.exe
    PID 4064 wrote to memory of 31484064makeve.exeRegAsm.exe
    PID 4064 wrote to memory of 31484064makeve.exeRegAsm.exe
    PID 4064 wrote to memory of 31484064makeve.exeRegAsm.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\makeve.exe
    "C:\Users\Admin\AppData\Local\Temp\makeve.exe"
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\makeve.exe"
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3148
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads