analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scanned_Copy_65H632.jpg.rar

Full analysis: https://app.any.run/tasks/e9ea3cd3-28ed-4bab-b49c-211ece9c8531
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: August 17, 2019, 20:18:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
stealer
rat
remcos
evasion
trojan
agenttesla
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

14E65439594900E73D3847F6C57C0465

SHA1:

01FC8DA8972A18F608EC2F8D2A5026BBFCA30218

SHA256:

1D0F5FA95BF813DF8CF53897C236CA02F9D29A3FE3214B0659A32D4437F772EA

SSDEEP:

12288:vUJsq0/P4ulrhoqOI3W1fVnYXU7P0bYciA7zWTSd5av5OrEA/2d5fGDDgrEWphqK:c10/7lt8fVnYXL0cZWkwxOrofG3QEkqK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • xyz.exe (PID: 3220)
      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
      • xyz.exe (PID: 2772)
      • Scanned_Copy_65H632.jpg.exe (PID: 2780)
      • win-server.exe (PID: 2592)
    • Known privilege escalation attack

      • xyz.exe (PID: 3220)
      • xyz.exe (PID: 2772)
      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Changes the autorun value in the registry

      • xyz.exe (PID: 2772)
      • win-server.exe (PID: 2592)
      • iexplore.exe (PID: 3276)
      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Uses SVCHOST.EXE for hidden code execution

      • iexplore.exe (PID: 3276)
    • Uses NirSoft utilities to collect credentials

      • iexplore.exe (PID: 3032)
      • iexplore.exe (PID: 2240)
    • REMCOS was detected

      • iexplore.exe (PID: 3276)
    • Detected logs from REMCOS RAT

      • iexplore.exe (PID: 3276)
    • Actions looks like stealing of personal data

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • AGENTTESLA was detected

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
  • SUSPICIOUS

    • Writes files like Keylogger logs

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
      • xyz.exe (PID: 2772)
      • iexplore.exe (PID: 3276)
    • Executable content was dropped or overwritten

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
      • WinRAR.exe (PID: 2900)
      • xyz.exe (PID: 2772)
    • Modifies the open verb of a shell class

      • xyz.exe (PID: 3220)
      • xyz.exe (PID: 2772)
      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Application launched itself

      • Scanned_Copy_65H632.jpg.exe (PID: 2780)
    • Creates files in the user directory

      • xyz.exe (PID: 2772)
      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Executes scripts

      • xyz.exe (PID: 2772)
    • Starts Internet Explorer

      • win-server.exe (PID: 2592)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 4064)
    • Reads the cookies of Google Chrome

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Checks for external IP

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
    • Reads the cookies of Mozilla Firefox

      • Scanned_Copy_65H632.jpg.exe (PID: 3424)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3276)
    • Application launched itself

      • iexplore.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
17
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe scanned_copy_65h632.jpg.exe no specs #AGENTTESLA scanned_copy_65h632.jpg.exe xyz.exe no specs eventvwr.exe no specs eventvwr.exe xyz.exe wscript.exe no specs cmd.exe no specs win-server.exe #REMCOS iexplore.exe svchost.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe eventvwr.exe no specs eventvwr.exe

Process information

PID
CMD
Path
Indicators
Parent process
2900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scanned_Copy_65H632.jpg.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2780"C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exeWinRAR.exe
User:
admin
Company:
smaRT
Integrity Level:
MEDIUM
Description:
saddelmagerne
Exit code:
0
Version:
1.06.0001
3424"C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe
Scanned_Copy_65H632.jpg.exe
User:
admin
Company:
smaRT
Integrity Level:
MEDIUM
Description:
saddelmagerne
Version:
1.06.0001
3220"C:\Users\admin\xyz.exe" C:\Users\admin\xyz.exeScanned_Copy_65H632.jpg.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2436"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exexyz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3964"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
xyz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772"C:\Users\admin\xyz.exe" C:\Users\admin\xyz.exe
eventvwr.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4064"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exexyz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3944"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\System\win-server.exe"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2592C:\Users\admin\AppData\Roaming\System\win-server.exeC:\Users\admin\AppData\Roaming\System\win-server.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
Total events
1 270
Read events
1 167
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Roaming\t1uef05u.rlp\Chrome\Default\Cookies
MD5:
SHA256:
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Roaming\t1uef05u.rlp\Firefox\Profiles\qldyz51w.default\cookies.sqlite
MD5:
SHA256:
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2900.16872\Scanned_Copy_65H632.jpg.exe
MD5:
SHA256:
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Local\Temp\tmpG288.tmpexecutable
MD5:E906F205487A151B65FE8F32DF500590
SHA256:B092AEE6A42C1CCD466213484FAC78B2B066EDD880E8FE91C8FF22EAD249D684
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exeexecutable
MD5:E906F205487A151B65FE8F32DF500590
SHA256:B092AEE6A42C1CCD466213484FAC78B2B066EDD880E8FE91C8FF22EAD249D684
2772xyz.exeC:\Users\admin\AppData\Local\Temp\install.vbsbinary
MD5:D61DE7019AAF6E56CE99C9BB417D28A4
SHA256:03BE4FFB18015BF65DCBB061205AA4BB26E8C9C7DBED1C6DA9B4FE71243EBEC9
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Roaming\t1uef05u.rlp.zipcompressed
MD5:AD5DC5EDA744B2A744D334CFE6566026
SHA256:24BC8158C9BA81DAF4BA46D6F36990B56C5A3F79B08B09740104FFCE61B54F7A
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Local\Temp\637016735493826250_9211c1ca-eaf7-4c1b-b3e8-ff988da9b8c4.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3276iexplore.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:914174B4773BF5E95637EC4DEF34708F
SHA256:5EA53C13C23BCED99D822F022CCB2D1C7F7400D7DAC44648A5D1115482847A4A
3424Scanned_Copy_65H632.jpg.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:6DC4449008536F212BB877255D8A5BED
SHA256:BCDE8024593BD4D7D8756831D245C2A7A34B1AD5AFDE06A3444C16CCAE8EE6E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
Scanned_Copy_65H632.jpg.exe
GET
200
52.55.255.113:80
http://checkip.amazonaws.com/
US
text
12 b
shared
3424
Scanned_Copy_65H632.jpg.exe
GET
200
52.55.255.113:80
http://checkip.amazonaws.com/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3276
iexplore.exe
185.165.153.92:3434
NL
malicious
3424
Scanned_Copy_65H632.jpg.exe
68.65.122.244:587
premium73.web-hosting.com
Namecheap, Inc.
US
malicious
3424
Scanned_Copy_65H632.jpg.exe
52.55.255.113:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 52.55.255.113
  • 18.205.71.63
  • 3.224.145.145
  • 34.196.181.158
  • 52.44.169.135
  • 18.204.189.102
shared
premium73.web-hosting.com
  • 68.65.122.244
malicious

Threats

PID
Process
Class
Message
3276
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
3424
Scanned_Copy_65H632.jpg.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3424
Scanned_Copy_65H632.jpg.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3424
Scanned_Copy_65H632.jpg.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3424
Scanned_Copy_65H632.jpg.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
4 ETPRO signatures available at the full report
No debug info