analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

telex copy.7z

Full analysis: https://app.any.run/tasks/8d5b44a3-8b3b-42d6-84b4-e7772146545a
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: May 15, 2019, 13:32:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

AC956C3C91E3482A968FBFD1EB510D7C

SHA1:

F8A22B62A9C8366884B66A410686CC1786400522

SHA256:

0E9926CCAF8D0548A149D203B56687C11F2A9A75C63218B4D79BD72BE3111276

SSDEEP:

24576:+D7bnFIw4qaoCUZLo14dy+ygLnKO20ilWwKQbLTDttDXWTY:+D7bnF/acm4dy+y+nKO2plFLVtDGTY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • telex copy.exe (PID: 3180)
    • Changes the autorun value in the registry

      • telex copy.exe (PID: 3180)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3464)
    • AGENTTESLA was detected

      • RegAsm.exe (PID: 3464)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • telex copy.exe (PID: 3180)
      • WinRAR.exe (PID: 2948)
    • Creates files in the user directory

      • telex copy.exe (PID: 3180)
    • Application launched itself

      • RegAsm.exe (PID: 3980)
    • Checks for external IP

      • RegAsm.exe (PID: 3464)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: telex copy.exe
PackingMethod: Normal
ModifyDate: 2019:05:15 09:39:26
OperatingSystem: Win32
UncompressedSize: 1144832
CompressedSize: 1075036
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe telex copy.exe regasm.exe no specs #AGENTTESLA regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\telex copy.7z.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3180"C:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3980"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exetelex copy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3464"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
520
Read events
484
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3180telex copy.exeC:\Users\admin\AppData\Roaming\winresume\cemapi.exeexecutable
MD5:7B2FF515E3E6C6F0CC29B31BC6177B96
SHA256:A4C3AC4252499F8AE4E8BD1AD685BFE51D276355CF15DE8E400B06C898347D16
2948WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exeexecutable
MD5:D0E04217D2EA27452BEE307B57087842
SHA256:69A0D1D31F7CF6BB0618784D4C96E3B40C2CB3CD5C538286049BC71381B51E95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3464
RegAsm.exe
GET
200
52.202.139.131:80
http://checkip.amazonaws.com/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3464
RegAsm.exe
52.202.139.131:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3464
RegAsm.exe
198.54.122.60:587
mail.privateemail.com
Namecheap, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
mail.privateemail.com
  • 198.54.122.60
shared
checkip.amazonaws.com
  • 52.202.139.131
  • 34.233.102.38
  • 52.206.161.133
  • 18.211.215.84
  • 52.200.125.74
  • 52.6.79.229
shared

Threats

PID
Process
Class
Message
3464
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3464
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info