File name: | ImCDmlGY3TYhx8L.gz |
Full analysis: | https://app.any.run/tasks/538beafe-072d-471a-9812-afe87c374be4 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | August 25, 2019, 22:12:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | DCD0DA857111A72BBBB3FF691F0AA5FC |
SHA1: | 66DC79D4EE7FC63E8F33E8422D295AC109C0BC03 |
SHA256: | 104EB152F5F68A4AF2487E853437C4BA709F0C2C7C6FFE26EF5C6C452C87C069 |
SSDEEP: | 12288:kSTLg0w6wzR+p03R5XR79P+14W6G0tDbA2LfMwP7:Vgp6wzR+paRQ36G05A2z7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ImCDmlGY3TYhx8L.scr |
---|---|
ZipUncompressedSize: | 576000 |
ZipCompressedSize: | 542887 |
ZipCRC: | 0x25bc1fc7 |
ZipModifyDate: | 2019:08:26 02:20:10 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3412 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ImCDmlGY3TYhx8L.gz" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3220 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3412.15719\ImCDmlGY3TYhx8L.scr" /S | C:\Users\admin\AppData\Local\Temp\Rar$DIa3412.15719\ImCDmlGY3TYhx8L.scr | — | WinRAR.exe |
User: admin Company: Illuminati Integrity Level: MEDIUM Description: RealEyes Exit code: 0 Version: 1.6.4.2 | ||||
2640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\worldimage.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3752 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3412.15719\ImCDmlGY3TYhx8L.scr" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3412.15719\ImCDmlGY3TYhx8L.scr | ImCDmlGY3TYhx8L.scr | |
User: admin Company: Illuminati Integrity Level: MEDIUM Description: RealEyes Version: 1.6.4.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1EF2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3752 | ImCDmlGY3TYhx8L.scr | C:\Users\admin\AppData\Roaming\jkcvs3sm.tpo\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
3752 | ImCDmlGY3TYhx8L.scr | C:\Users\admin\AppData\Roaming\jkcvs3sm.tpo\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
3752 | ImCDmlGY3TYhx8L.scr | C:\Users\admin\AppData\Roaming\jkcvs3sm.tpo.zip | compressed | |
MD5:EA8210941B94F1A30E0D23B64A2408EF | SHA256:75D94614D18C79A9E90C490522E40C58715D6E6D73019999D3C0FDAAEEE9902D | |||
3752 | ImCDmlGY3TYhx8L.scr | C:\Users\admin\AppData\Local\Temp\637023716328711250_e0f29411-2500-4ec0-aa61-50fd49c8133b.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2640 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\worldimage.rtf.LNK | lnk | |
MD5:ED1DF31D49F7CEC032AA43902133B17E | SHA256:676B29C343B80FF299DDF3D2094D0FA219EAE3F2D86B2D4F3F077DF30047EE6E | |||
2640 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:322A4A3AF92C1F9021412EB8A4224365 | SHA256:C8EF0D292BBA93BE62212A484D6FED07BB9E42160C1A0C76A3DC69F234AFF2F1 | |||
3752 | ImCDmlGY3TYhx8L.scr | C:\Users\admin\AppData\Roaming\MyApp\MyApp.exe | executable | |
MD5:19485708AF2C99343C1BDCCC2B6116C3 | SHA256:135C5D9FB5599E0BE7E776696637140FC3D6CD8599CB3C8089C4E5944B98ECD7 | |||
3412 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3412.15719\ImCDmlGY3TYhx8L.scr | executable | |
MD5:19485708AF2C99343C1BDCCC2B6116C3 | SHA256:135C5D9FB5599E0BE7E776696637140FC3D6CD8599CB3C8089C4E5944B98ECD7 | |||
2640 | WINWORD.EXE | C:\Users\admin\Desktop\~$rldimage.rtf | pgc | |
MD5:BAC750C9A3B62B1D63ED66F9F4B40F0E | SHA256:5069D2570772305A61F539E14618996F2CAAB5101429836EBBB0B70AC91BCBCE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3752 | ImCDmlGY3TYhx8L.scr | GET | 200 | 52.44.169.135:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3752 | ImCDmlGY3TYhx8L.scr | 52.44.169.135:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3752 | ImCDmlGY3TYhx8L.scr | 198.54.116.220:587 | mail.allseasonshipyard.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com |
| shared |
mail.allseasonshipyard.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3752 | ImCDmlGY3TYhx8L.scr | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3752 | ImCDmlGY3TYhx8L.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3752 | ImCDmlGY3TYhx8L.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |