Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
New Email Added and Messages Alert.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Email Added and Messages Alert.js
Resource
win10v2004-20220414-en
General
-
Target
New Email Added and Messages Alert.js
-
Size
508KB
-
MD5
0a74331331f9118783c14a258df23047
-
SHA1
bfc2ad650dcf6271a07f6eb5ce3efe82b87b7c38
-
SHA256
b4629fb4d969ce71bc3e0f8725243ed55f592a944a9ab43044e857d896dee871
-
SHA512
516f8d65e05b581b9262945ef9b8d69bd09319c3768d65ac5b7dda3c065722eba63c5baaa48a9214b724764cf03447235c301025a8b815eb3d80d080be55adc6
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 12 IoCs
Processes:
wscript.exeflow pid process 7 736 wscript.exe 16 736 wscript.exe 23 736 wscript.exe 26 736 wscript.exe 37 736 wscript.exe 48 736 wscript.exe 53 736 wscript.exe 58 736 wscript.exe 83 736 wscript.exe 90 736 wscript.exe 98 736 wscript.exe 99 736 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
New Email Added and Messages Alert.exepid process 1848 New Email Added and Messages Alert.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezqHzyDEBJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezqHzyDEBJ.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
New Email Added and Messages Alert.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Email Added and Messages Alert.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Email Added and Messages Alert.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Email Added and Messages Alert.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezqHzyDEBJ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New Email Added and Messages Alert.exepid process 1848 New Email Added and Messages Alert.exe 1848 New Email Added and Messages Alert.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New Email Added and Messages Alert.exedescription pid process Token: SeDebugPrivilege 1848 New Email Added and Messages Alert.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 1868 wrote to memory of 736 1868 wscript.exe wscript.exe PID 1868 wrote to memory of 736 1868 wscript.exe wscript.exe PID 1868 wrote to memory of 1848 1868 wscript.exe New Email Added and Messages Alert.exe PID 1868 wrote to memory of 1848 1868 wscript.exe New Email Added and Messages Alert.exe PID 1868 wrote to memory of 1848 1868 wscript.exe New Email Added and Messages Alert.exe -
outlook_office_path 1 IoCs
Processes:
New Email Added and Messages Alert.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Email Added and Messages Alert.exe -
outlook_win_path 1 IoCs
Processes:
New Email Added and Messages Alert.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Email Added and Messages Alert.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Email Added and Messages Alert.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ezqHzyDEBJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\New Email Added and Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\New Email Added and Messages Alert.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New Email Added and Messages Alert.exeFilesize
209KB
MD5e711faa67fee4611ead33d70cf480594
SHA104abd88d79bf2b0660bd20d94e01d37d75f76bd8
SHA256da6985009226924a22f0b0a2a80163ff9e30e77d940ad3c0323f22bc748a284a
SHA512d692a166356301478c7c24d4dc8601c31d986ddea03406f8810c31db526f62411d2b83a370e46716f63e8680b10ef0bdeaa7d9396bc063db25912ddf69f66dc0
-
C:\Users\Admin\AppData\Local\Temp\New Email Added and Messages Alert.exeFilesize
209KB
MD5e711faa67fee4611ead33d70cf480594
SHA104abd88d79bf2b0660bd20d94e01d37d75f76bd8
SHA256da6985009226924a22f0b0a2a80163ff9e30e77d940ad3c0323f22bc748a284a
SHA512d692a166356301478c7c24d4dc8601c31d986ddea03406f8810c31db526f62411d2b83a370e46716f63e8680b10ef0bdeaa7d9396bc063db25912ddf69f66dc0
-
C:\Users\Admin\AppData\Roaming\ezqHzyDEBJ.jsFilesize
49KB
MD5bdc987e24f3756203aba0bdad8f3f455
SHA1f45575f65715623d255b8c3f403306ab8598b874
SHA256deb124489dadb59b3c7a6afd7a6f774538935fb0968b04dd8ca6de104d2cc19b
SHA51232ae2c2794ff4a5d662f013f946f1ef5ce0b489c171ed5991468ef82d011de952b78bb23a9428e3c2b96f140e1ece9cc81e308da698698b8dc18041bbd0a1805
-
memory/736-130-0x0000000000000000-mapping.dmp
-
memory/1848-132-0x0000000000000000-mapping.dmp
-
memory/1848-135-0x00000000008E0000-0x000000000091A000-memory.dmpFilesize
232KB
-
memory/1848-136-0x00000000058B0000-0x0000000005E54000-memory.dmpFilesize
5.6MB
-
memory/1848-137-0x0000000005300000-0x000000000539C000-memory.dmpFilesize
624KB
-
memory/1848-138-0x0000000006010000-0x0000000006076000-memory.dmpFilesize
408KB
-
memory/1848-139-0x00000000066C0000-0x0000000006710000-memory.dmpFilesize
320KB
-
memory/1848-140-0x0000000006C30000-0x0000000006CC2000-memory.dmpFilesize
584KB
-
memory/1848-141-0x0000000006BE0000-0x0000000006BEA000-memory.dmpFilesize
40KB