Overview

overview

10

Static

static

Messages Alert.exe

windows7_x64

10

Messages Alert.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Messages Alert.exe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    zinco
  • Password:
    computer147

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe
    "C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bEAtZomlY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD68B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1504
    • C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe
      "C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"
      2⤵
        PID:732
      • C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe
        "C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"
        2⤵
          PID:744
        • C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe
          "C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:3996

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Messages Alert.exe.log
        MD5

        c3cc52ccca9ff2b6fa8d267fc350ca6b

        SHA1

        a68d4028333296d222e4afd75dea36fdc98d05f3

        SHA256

        3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

        SHA512

        b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpD68B.tmp
        MD5

        2313f6255ae463759cde9e7f2fc10f8b

        SHA1

        6a95234107646a9e5250a147a0043b11c19123a9

        SHA256

        2fe8dbfabdf424446d567b3a410415e296fb1ef52011bfce46bee52ea9c99c39

        SHA512

        4ebb1ce9c44cc869831ab78eb2814dcc06e66f5636543a538bca48488f9427dd7bcd0a954a7a6f132b1288402e4ccd94d64dc685f928ccd39884de3ac8ba20eb

        Download Submit
      • memory/1036-11-0x0000000006690000-0x00000000066EC000-memory.dmp
        Filesize

        368KB

        Download
      • memory/1036-3-0x0000000000040000-0x0000000000041000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-7-0x0000000004A30000-0x0000000004A31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-8-0x0000000004920000-0x0000000004921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-9-0x0000000004930000-0x0000000004931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-10-0x0000000004C10000-0x0000000004C13000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1036-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1036-6-0x0000000004990000-0x0000000004991000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-5-0x0000000004E90000-0x0000000004E91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1504-12-0x0000000000000000-mapping.dmp
        Download
      • memory/3996-15-0x00000000004375DE-mapping.dmp
        Download
      • memory/3996-14-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3996-17-0x0000000073EE0000-0x00000000745CE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3996-22-0x0000000005400000-0x0000000005401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3996-23-0x0000000005EC0000-0x0000000005EC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3996-24-0x0000000005F50000-0x0000000005F51000-memory.dmp
        Filesize

        4KB

        Download