File name: | telex copy.7z |
Full analysis: | https://app.any.run/tasks/8d5b44a3-8b3b-42d6-84b4-e7772146545a |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | May 15, 2019, 13:32:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | AC956C3C91E3482A968FBFD1EB510D7C |
SHA1: | F8A22B62A9C8366884B66A410686CC1786400522 |
SHA256: | 0E9926CCAF8D0548A149D203B56687C11F2A9A75C63218B4D79BD72BE3111276 |
SSDEEP: | 24576:+D7bnFIw4qaoCUZLo14dy+ygLnKO20ilWwKQbLTDttDXWTY:+D7bnF/acm4dy+y+nKO2plFLVtDGTY |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | telex copy.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2019:05:15 09:39:26 |
OperatingSystem: | Win32 |
UncompressedSize: | 1144832 |
CompressedSize: | 1075036 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\telex copy.7z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3180 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3980 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | telex copy.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3464 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3180 | telex copy.exe | C:\Users\admin\AppData\Roaming\winresume\cemapi.exe | executable | |
MD5:7B2FF515E3E6C6F0CC29B31BC6177B96 | SHA256:A4C3AC4252499F8AE4E8BD1AD685BFE51D276355CF15DE8E400B06C898347D16 | |||
2948 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2948.22212\telex copy.exe | executable | |
MD5:D0E04217D2EA27452BEE307B57087842 | SHA256:69A0D1D31F7CF6BB0618784D4C96E3B40C2CB3CD5C538286049BC71381B51E95 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3464 | RegAsm.exe | GET | 200 | 52.202.139.131:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3464 | RegAsm.exe | 52.202.139.131:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3464 | RegAsm.exe | 198.54.122.60:587 | mail.privateemail.com | Namecheap, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
mail.privateemail.com |
| shared |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3464 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3464 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |