File name: | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe |
Full analysis: | https://app.any.run/tasks/6a559932-639e-47c1-9806-bffeff09dc67 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | April 15, 2019, 13:19:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | D18C6EDB768E000117EEEEA3D5FC89BE |
SHA1: | 775CEB1BD0D24DF850773B5B57EA588983AA18D2 |
SHA256: | ACBEE4955A1ECF53BAA95BB0E3B0C8B87FE320797D626F47041AF8FEEC31D91A |
SSDEEP: | 12288:lnzefKdEN7vYCiXUrTNRw8FC4UaY7HYeesMFAa+i8H6:lnzMKavYsTNRrUz7oxili8H6 |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
ProductName: | Severe Weather Alerts |
---|---|
LegalCopyright: | Weather Notifications, LLC © 2013. All Rights Reserved. |
FileVersion: | 1.23.0.0 |
FileDescription: | Application |
CompanyName: | Weather Notifications, LLC |
CharacterSet: | Windows, Latin1 |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.23.0.0 |
FileVersionNumber: | 1.23.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x30fa |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 164864 |
CodeSize: | 24064 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2009:12:05 23:50:52+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Dec-2009 22:50:52 |
Detected languages: |
|
CompanyName: | Weather Notifications, LLC |
FileDescription: | Application |
FileVersion: | 1.23.0.0 |
LegalCopyright: | Weather Notifications, LLC © 2013. All Rights Reserved. |
ProductName: | Severe Weather Alerts |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 05-Dec-2009 22:50:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005C4C | 0x00005E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44011 |
.rdata | 0x00007000 | 0x0000129C | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04684 |
.data | 0x00009000 | 0x00025C58 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.801 |
.ndata | 0x0002F000 | 0x0000A000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00039000 | 0x00004520 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.87531 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.22437 | 947 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 5.9993 | 3752 | UNKNOWN | English - United States | RT_ICON |
3 | 6.24459 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 5.01502 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 6.16057 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 3.34146 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 3.04232 | 296 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.6691 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1700 | "C:\Users\admin\AppData\Local\Temp\acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe" | C:\Users\admin\AppData\Local\Temp\acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | explorer.exe | |
User: admin Company: Weather Notifications, LLC Integrity Level: MEDIUM Description: Application Exit code: 0 Version: 1.23.0.0 | ||||
3140 | "C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe" /installer 1200396 1 | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | |
User: admin Company: Weather Notifications, LLC Integrity Level: MEDIUM Description: SevereWeatherAlerts Version: 1.21.0.0 | ||||
3212 | "C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /installevent=10 /distid=1200396 /tpchannelid=1 | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe | — | SevereWeatherAlerts.exe |
User: admin Integrity Level: MEDIUM Description: SevereWeatherAlertsApp Exit code: 0 Version: 1.0.9.0 | ||||
3520 | "C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /distid=1200396 /tpchannelid=1 | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe | SevereWeatherAlertsApp.exe | |
User: admin Integrity Level: MEDIUM Description: SevereWeatherAlertsApp Version: 1.0.9.0 | ||||
2780 | "C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe" | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe | — | SevereWeatherAlerts.exe |
User: admin Company: Weather Notifications, LLC Integrity Level: MEDIUM Description: SWAUpdater Exit code: 3221226540 Version: 1.2.0.0 | ||||
900 | "C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe" | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe | SevereWeatherAlerts.exe | |
User: admin Company: Weather Notifications, LLC Integrity Level: HIGH Description: SWAUpdater Exit code: 0 Version: 1.2.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\ioSpecial.ini | text | |
MD5:34C06E13176EB1A1A00A7FCD35FBEE7D | SHA256:372B84DA5B159AAFED23085A07B267B890B87B091ECE5AC4082F86658384872D | |||
3140 | SevereWeatherAlerts.exe | C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\lviqbgj4.newcfg | — | |
MD5:— | SHA256:— | |||
3520 | SevereWeatherAlertsApp.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat.tmp | — | |
MD5:— | SHA256:— | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe | executable | |
MD5:74B457DB24E9A1677E0D841686F11C95 | SHA256:68C6E2521E232C72DA81215A25218BC11758C37010C67DFB52C8478E3A3682A9 | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe.config | xml | |
MD5:2CAFCA792CF6D92685107DB827C44B00 | SHA256:373DA9A0D703D45A914366B89077519E8883256AC5FE18B47161BAE6A19A5021 | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts.lnk | lnk | |
MD5:AFC557E9FCA0887CD6BEDBBC7F058603 | SHA256:E6A141D74495CFFB692CA215B52CB078324B8CD2F58DBFEB55EF6A374ACB925C | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\uninstall.exe | executable | |
MD5:3F83B9EAC72673ED46C6186F1D09E60F | SHA256:6865BE77C74C8F82CB54E79BE66C6A60A95182571885587C0266A45F2158C2BC | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat | binary | |
MD5:457B73F64501B3489678D555EB7F46B3 | SHA256:D363745224C59CC861A4D50B75FF0AED0B7138B2C1F5E11BFA7800AC4DC38625 | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsBrowser.exe | executable | |
MD5:65C5AC31BC867C0AC16A05002B78B110 | SHA256:D77797EA67A8BA795F9D98DF39D667F50EF457970A0AE20964215C6D1FF60781 | |||
1700 | acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe | C:\Users\admin\AppData\Local\SevereWeatherAlerts\ICSharpCode.SharpZipLib.dll | executable | |
MD5:17D67AFB3452B3B78A679FA9F4CAEFD8 | SHA256:68DAE50CCA679F6CA5C9E4F4225E34D738D34098701DDE463F2304415845DD8B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3140 | SevereWeatherAlerts.exe | GET | 301 | 13.32.219.90:80 | http://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt | US | html | 183 b | whitelisted |
3520 | SevereWeatherAlertsApp.exe | GET | 200 | 5.79.68.107:80 | http://survey-smiles.com/ | NL | html | 295 b | whitelisted |
3520 | SevereWeatherAlertsApp.exe | GET | 200 | 5.79.68.107:80 | http://survey-smiles.com/ | NL | html | 295 b | whitelisted |
3140 | SevereWeatherAlerts.exe | GET | 200 | 172.217.21.202:80 | http://maps.googleapis.com/maps/api/geocode/xml?address=United%20States&sensor=false | US | xml | 300 b | whitelisted |
3140 | SevereWeatherAlerts.exe | GET | 200 | 104.16.37.47:80 | http://geoip.maxmind.com/b?l=9sm8C3xEMxTs&i=62.212.86.130 | US | text | 24 b | shared |
3520 | SevereWeatherAlertsApp.exe | GET | 200 | 5.79.68.107:80 | http://survey-smiles.com/ | NL | html | 295 b | whitelisted |
3140 | SevereWeatherAlerts.exe | GET | 200 | 216.146.43.71:80 | http://checkip.dyndns.org/ | US | html | 105 b | shared |
3140 | SevereWeatherAlerts.exe | GET | 301 | 13.32.219.37:80 | http://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv | US | html | 183 b | whitelisted |
3520 | SevereWeatherAlertsApp.exe | GET | 200 | 5.79.68.107:80 | http://survey-smiles.com/ | NL | html | 295 b | whitelisted |
3520 | SevereWeatherAlertsApp.exe | GET | 200 | 5.79.68.107:80 | http://survey-smiles.com/ | NL | html | 295 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3140 | SevereWeatherAlerts.exe | 172.217.21.202:80 | maps.googleapis.com | Google Inc. | US | whitelisted |
3140 | SevereWeatherAlerts.exe | 13.32.219.90:443 | www.spc.noaa.gov | Amazon.com, Inc. | US | unknown |
3140 | SevereWeatherAlerts.exe | 13.32.219.221:443 | www.spc.noaa.gov | Amazon.com, Inc. | US | unknown |
3140 | SevereWeatherAlerts.exe | 13.32.219.133:443 | www.spc.noaa.gov | Amazon.com, Inc. | US | unknown |
3140 | SevereWeatherAlerts.exe | 13.32.219.90:80 | www.spc.noaa.gov | Amazon.com, Inc. | US | unknown |
3140 | SevereWeatherAlerts.exe | 104.16.37.47:80 | geoip.maxmind.com | Cloudflare Inc | US | shared |
3520 | SevereWeatherAlertsApp.exe | 5.79.68.107:80 | survey-smiles.com | LeaseWeb Netherlands B.V. | NL | malicious |
3140 | SevereWeatherAlerts.exe | 13.32.219.155:443 | www.spc.noaa.gov | Amazon.com, Inc. | US | unknown |
3520 | SevereWeatherAlertsApp.exe | 207.244.65.58:80 | severeweatheralerts02.severeweatheralerts.net | Leaseweb USA, Inc. | US | malicious |
— | — | 207.244.65.58:80 | severeweatheralerts02.severeweatheralerts.net | Leaseweb USA, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.dyndns.org |
| shared |
geoip.maxmind.com |
| unknown |
maps.googleapis.com |
| whitelisted |
www.spc.noaa.gov |
| whitelisted |
severeweatheralerts02.severeweatheralerts.net |
| malicious |
survey-smiles.com |
| whitelisted |
dns.msftncsi.com |
| shared |
earthquake.usgs.gov |
| whitelisted |
updates.severeweatheralerts.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
3140 | SevereWeatherAlerts.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
3140 | SevereWeatherAlerts.exe | A Network Trojan was detected | MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla) |
3140 | SevereWeatherAlerts.exe | Potentially Bad Traffic | ET POLICY DynDNS CheckIp External IP Address Server Response |
Process | Message |
---|---|
SevereWeatherAlertsApp.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
SevereWeatherAlertsApp.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|