File name: | Proforma Invoice.UUE |
Full analysis: | https://app.any.run/tasks/ab0ce385-8a9f-4686-b57e-2bc2c7e33214 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | May 15, 2019, 10:58:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3B948F6C2B7227A6CC6E29BF230E7A56 |
SHA1: | F6AF386F8A878B1DFDD67F323B0344DBA22D54D3 |
SHA256: | 17320B532C13A5261F4EFFED3A33860C0A5077DE79C359CB29CF4C450C7AFD91 |
SSDEEP: | 12288:GX0tHw+zDFs3s0lKrWb6JntrEJixpuwIH2n9VMW3a:GX0ZwADF0rDEEmIiVBa |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Proforma Invoice .XLSX.EXE |
---|---|
ZipUncompressedSize: | 756736 |
ZipCompressedSize: | 584586 |
ZipCRC: | 0x83fcc9ed |
ZipModifyDate: | 2019:05:14 05:59:12 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3188 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.UUE" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3900 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE | WinRAR.exe | |
User: admin Company: ActionCenterCPL Integrity Level: MEDIUM Description: BackgroundMediaPolicy Exit code: 0 Version: 836.511.848.500 | ||||
3032 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | Proforma Invoice .XLSX.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3968 | "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE" | C:\Windows\System32\cmd.exe | — | Proforma Invoice .XLSX.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3056 | TimeOut 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3900 | Proforma Invoice .XLSX.EXE | C:\Users\admin\AppData\Roaming\FaceFodUninstaller\AppVNice.exe | executable | |
MD5:67814AE6BFD67B2E4CE3C26545D2CF99 | SHA256:D45B657AC71E4466327D864F6994590F28C79D2D7EB3B781374FFBBA1D36B400 | |||
3188 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE | executable | |
MD5:A04665649E1E94ECB0604C98EF332131 | SHA256:EBDDA84A40ECE8297C5374AD787599CC0B55162C628AECA95C99588E85874E3C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3032 | RegSvcs.exe | GET | 200 | 52.200.125.74:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3032 | RegSvcs.exe | 52.200.125.74:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3032 | RegSvcs.exe | 198.54.125.61:26 | mail.sweeddehacklord.us | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
mail.sweeddehacklord.us |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3032 | RegSvcs.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3032 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3032 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |