analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Proforma Invoice.UUE

Full analysis: https://app.any.run/tasks/ab0ce385-8a9f-4686-b57e-2bc2c7e33214
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: May 15, 2019, 10:58:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3B948F6C2B7227A6CC6E29BF230E7A56

SHA1:

F6AF386F8A878B1DFDD67F323B0344DBA22D54D3

SHA256:

17320B532C13A5261F4EFFED3A33860C0A5077DE79C359CB29CF4C450C7AFD91

SSDEEP:

12288:GX0tHw+zDFs3s0lKrWb6JntrEJixpuwIH2n9VMW3a:GX0ZwADF0rDEEmIiVBa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Proforma Invoice .XLSX.EXE (PID: 3900)
    • Changes the autorun value in the registry

      • Proforma Invoice .XLSX.EXE (PID: 3900)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 3032)
    • AGENTTESLA was detected

      • RegSvcs.exe (PID: 3032)
  • SUSPICIOUS

    • Creates files in the user directory

      • Proforma Invoice .XLSX.EXE (PID: 3900)
    • Starts CMD.EXE for commands execution

      • Proforma Invoice .XLSX.EXE (PID: 3900)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3188)
      • Proforma Invoice .XLSX.EXE (PID: 3900)
    • Checks for external IP

      • RegSvcs.exe (PID: 3032)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Proforma Invoice .XLSX.EXE
ZipUncompressedSize: 756736
ZipCompressedSize: 584586
ZipCRC: 0x83fcc9ed
ZipModifyDate: 2019:05:14 05:59:12
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe proforma invoice .xlsx.exe #AGENTTESLA regsvcs.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3188"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.UUE"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3900"C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE" C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE
WinRAR.exe
User:
admin
Company:
ActionCenterCPL
Integrity Level:
MEDIUM
Description:
BackgroundMediaPolicy
Exit code:
0
Version:
836.511.848.500
3032"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Proforma Invoice .XLSX.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3968"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXE"C:\Windows\System32\cmd.exeProforma Invoice .XLSX.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3056TimeOut 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
582
Read events
552
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3900Proforma Invoice .XLSX.EXEC:\Users\admin\AppData\Roaming\FaceFodUninstaller\AppVNice.exeexecutable
MD5:67814AE6BFD67B2E4CE3C26545D2CF99
SHA256:D45B657AC71E4466327D864F6994590F28C79D2D7EB3B781374FFBBA1D36B400
3188WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3188.43020\Proforma Invoice .XLSX.EXEexecutable
MD5:A04665649E1E94ECB0604C98EF332131
SHA256:EBDDA84A40ECE8297C5374AD787599CC0B55162C628AECA95C99588E85874E3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
RegSvcs.exe
GET
200
52.200.125.74:80
http://checkip.amazonaws.com/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
RegSvcs.exe
52.200.125.74:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3032
RegSvcs.exe
198.54.125.61:26
mail.sweeddehacklord.us
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
mail.sweeddehacklord.us
  • 198.54.125.61
malicious
checkip.amazonaws.com
  • 52.200.125.74
  • 52.206.161.133
  • 18.211.215.84
  • 52.202.139.131
  • 34.233.102.38
  • 52.6.79.229
shared

Threats

PID
Process
Class
Message
3032
RegSvcs.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3032
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
3 ETPRO signatures available at the full report
No debug info