analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

order no UOIMM20190830.pdf.z

Full analysis: https://app.any.run/tasks/474e87e1-fb21-478f-a53c-f4e951150dc2
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: October 09, 2019, 18:15:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
agenttesla
evasion
trojan
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

489ED3838E316E3483BCF2E4152C7FA4

SHA1:

551ABDF62D4FE310FE098F7E6A8A78921E3DFA21

SHA256:

09745F677FDEBF9F23F710249449178BD7722B8D9B2D6344FEC4D120C27AEA40

SSDEEP:

12288:fpbHoe1v1tvRaqOHeqPoaE/OUd/rPDNFXOhVn3TwCQRFH:fBoeNjRV/OGTPDNFe/3kR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • order no UOIMM20190830.bat (PID: 3864)
      • order no UOIMM20190830.bat (PID: 2920)
    • AGENTTESLA was detected

      • order no UOIMM20190830.bat (PID: 3864)
    • Actions looks like stealing of personal data

      • order no UOIMM20190830.bat (PID: 3864)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2276)
    • Reads the cookies of Google Chrome

      • order no UOIMM20190830.bat (PID: 3864)
    • Creates files in the user directory

      • order no UOIMM20190830.bat (PID: 3864)
    • Reads the cookies of Mozilla Firefox

      • order no UOIMM20190830.bat (PID: 3864)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2276)
      • order no UOIMM20190830.bat (PID: 2920)
    • Connects to SMTP port

      • order no UOIMM20190830.bat (PID: 3864)
    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 2276)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: order no UOIMM20190830.bat
PackingMethod: Normal
ModifyDate: 2019:10:09 08:42:12
OperatingSystem: Win32
UncompressedSize: 868352
CompressedSize: 524039
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe order no uoimm20190830.bat no specs #AGENTTESLA order no uoimm20190830.bat

Process information

PID
CMD
Path
Indicators
Parent process
2276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\order no UOIMM20190830.pdf.z.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2920"C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.batWinRAR.exe
User:
admin
Company:
apPLE
Integrity Level:
MEDIUM
Description:
COL
Exit code:
0
Version:
1.00
3864"C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat
order no UOIMM20190830.bat
User:
admin
Company:
apPLE
Integrity Level:
MEDIUM
Description:
COL
Version:
1.00
Total events
582
Read events
546
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3864order no UOIMM20190830.batC:\Users\admin\AppData\Roaming\g3rhhin3.r4b\Chrome\Default\Cookies
MD5:
SHA256:
3864order no UOIMM20190830.batC:\Users\admin\AppData\Roaming\g3rhhin3.r4b\Firefox\Profiles\qldyz51w.default\cookies.sqlite
MD5:
SHA256:
2920order no UOIMM20190830.batC:\Users\admin\AppData\Local\Temp\~DFC1B9FFA080161F7D.TMPbinary
MD5:04C81CF9DCCD1492AA33CB7D3DC63B7C
SHA256:06408C99C1DD0DE7B03297291ECEDFF1666CAA889CF1425D06B125DD613197A5
3864order no UOIMM20190830.batC:\Users\admin\AppData\Roaming\g3rhhin3.r4b.zipcompressed
MD5:E617504378902AF64C6C667C3E1BD48F
SHA256:B28CA3C3ACE7D3F5D2DE65649DCA886A95DE07D408BF411C261E4DAA2B4F8D1C
3864order no UOIMM20190830.batC:\Users\admin\AppData\Local\Temp\637062453593347500_cf07c1e4-9d8f-42b0-a711-a361983ed977.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
2276WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.batexecutable
MD5:AFCD9F451FAE64120BFFF241590B838F
SHA256:84EAA33081729B86640ADA7CD6C8D01A5640FE2B67C7FA626504B2A1BDF13CEB
3864order no UOIMM20190830.batC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2920order no UOIMM20190830.batC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
order no UOIMM20190830.bat
198.54.122.60:587
mail.privateemail.com
Namecheap, Inc.
US
suspicious
3864
order no UOIMM20190830.bat
18.214.132.216:80
checkip.amazonaws.com
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 18.214.132.216
  • 34.196.181.158
  • 3.224.145.145
  • 52.44.169.135
  • 18.205.71.63
  • 52.55.255.113
shared
mail.privateemail.com
  • 198.54.122.60
shared

Threats

PID
Process
Class
Message
3864
order no UOIMM20190830.bat
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info