Analysis
-
max time kernel
148s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 11:50
General
-
Target
Messages Alert.exe
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zinco - Password:
computer147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bEAtZomlY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B83.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Messages Alert.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmp1B83.tmpMD5
180e63283a3d97a63c3390021e9995bc
SHA1695d31b6a2c45a0b05d552ff26957ffd24d3401e
SHA2569781c37f3028203c075675a0ff0c9fc8304a7f9b3d547e37d439efd39c85dc05
SHA51226ff23d0ef038bd4734481a6662f57b9b0f5ee038367ab951cf1ca04c254420e829f4c0fdbca8b98c84f16904d3217bd48551f61ead31da3d3bc9e4f0c1039d9
-
memory/644-11-0x0000000007330000-0x000000000738C000-memory.dmpFilesize
368KB
-
memory/644-3-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/644-7-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/644-8-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/644-9-0x0000000005A00000-0x0000000005A03000-memory.dmpFilesize
12KB
-
memory/644-10-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/644-6-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/644-5-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/1376-12-0x0000000000000000-mapping.dmp
-
memory/3948-15-0x00000000004375DE-mapping.dmp
-
memory/3948-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3948-17-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/3948-22-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3948-23-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/3948-24-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB