File name:

abf616c8-f805-ed87-0caa-ebb5e53d4391.eml

Full analysis: https://app.any.run/tasks/ab3600a8-3594-4e46-8a8e-2abc329a4d1f
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: December 05, 2022, 17:26:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
agenttesla
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

74D5EF95127671DFDAF8685731DBA177

SHA1:

68C028E760747BB3D11172749B1F5AD4BDCD136F

SHA256:

19B4F4F7AE7E3F16E6BA52CA11A9118522CDFBFF326A039555294872B74AEB38

SSDEEP:

12288:h1IoH/NVBlnXbS8d0UWNlb/3IktBCyqxUdAQesrH4yZ6JwzgfqBjHc+QP:hpfABPIkaUdwsrpZfgfqBw+QP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • pago 89336.exe (PID: 3780)
      • pago 89336.exe (PID: 2920)
    • Steals credentials from Web Browsers

      • pago 89336.exe (PID: 2920)
    • AGENTTESLA detected by memory dumps

      • pago 89336.exe (PID: 2920)
  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • OUTLOOK.EXE (PID: 2056)
    • Application launched itself

      • pago 89336.exe (PID: 3780)
    • Reads the Internet Settings

      • pago 89336.exe (PID: 2920)
    • Reads settings of System Certificates

      • pago 89336.exe (PID: 2920)
    • Adds/modifies Windows certificates

      • pago 89336.exe (PID: 2920)
  • INFO

    • Checks supported languages

      • pago 89336.exe (PID: 3780)
      • pago 89336.exe (PID: 2920)
    • Reads the computer name

      • pago 89336.exe (PID: 3780)
      • pago 89336.exe (PID: 2920)
    • Manual execution by a user

      • WinRAR.exe (PID: 3176)
    • Reads Environment values

      • pago 89336.exe (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start outlook.exe winrar.exe no specs pago 89336.exe no specs #AGENTTESLA pago 89336.exe

Process information

PID
CMD
Path
Indicators
Parent process
2056"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\abf616c8-f805-ed87-0caa-ebb5e53d4391.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3176"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pago 89336.r09"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3780"C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.20355\pago 89336.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.20355\pago 89336.exeWinRAR.exe
User:
admin
Company:
MagnaSolution
Integrity Level:
MEDIUM
Description:
Leather Worker
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\windows\system32\mscoree.dll
c:\users\admin\appdata\local\temp\rar$exa3176.20355\pago 89336.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2920"C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.20355\pago 89336.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.20355\pago 89336.exe
pago 89336.exe
User:
admin
Company:
MagnaSolution
Integrity Level:
MEDIUM
Description:
Leather Worker
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3176.20355\pago 89336.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
9 928
Read events
9 304
Write events
602
Delete events
22

Modification events

(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2056) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
1
Suspicious files
6
Text files
12
Unknown types
2

Dropped files

PID
Process
Filename
Type
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVREC49.tmp.cvr
MD5:
SHA256:
2056OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2920pago 89336.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_69F8C583A83A284192DFF828FC443DA6.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_1789284CF55D234B83177AE717DF5D37.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\8LJHU5SD\pago 89336 (2).r09:Zone.Identifier:$DATAtext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_F024CE012444244BA81604051E53AB5D.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2056OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\8LJHU5SD\pago 89336 (2).r09compressed
MD5:71427E1F61A197AA95D21A8B9B611C46
SHA256:081D6A42E28C88ACACA0338740DD3EAF6756A6A0DAED856CC74B6863986C98FF
2056OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9F533AE22FC6F834410AFFC3F70AE898
SHA256:E67479B614452923965EF4D84AB41FFE339FDECAF1BBB27A04D220EB7347A4FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
pago 89336.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?15a1ed1750f5a05b
GB
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2920
pago 89336.exe
78.140.195.54:587
mail2.bpk-spb.ru
JSC Severen-Telecom
RU
unknown
2920
pago 89336.exe
95.140.236.128:80
ctldl.windowsupdate.com
LLNW
US
malicious
2056
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
mail2.bpk-spb.ru
  • 78.140.195.54
  • 217.119.27.174
unknown
ctldl.windowsupdate.com
  • 95.140.236.128
  • 178.79.242.128
whitelisted

Threats

PID
Process
Class
Message
2920
pago 89336.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info