File name: | Scanned_Copy_65H632.jpg.rar |
Full analysis: | https://app.any.run/tasks/e9ea3cd3-28ed-4bab-b49c-211ece9c8531 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | August 17, 2019, 20:18:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 14E65439594900E73D3847F6C57C0465 |
SHA1: | 01FC8DA8972A18F608EC2F8D2A5026BBFCA30218 |
SHA256: | 1D0F5FA95BF813DF8CF53897C236CA02F9D29A3FE3214B0659A32D4437F772EA |
SSDEEP: | 12288:vUJsq0/P4ulrhoqOI3W1fVnYXU7P0bYciA7zWTSd5av5OrEA/2d5fGDDgrEWphqK:c10/7lt8fVnYXL0cZWkwxOrofG3QEkqK |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scanned_Copy_65H632.jpg.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2780 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe | — | WinRAR.exe |
User: admin Company: smaRT Integrity Level: MEDIUM Description: saddelmagerne Exit code: 0 Version: 1.06.0001 | ||||
3424 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe | Scanned_Copy_65H632.jpg.exe | |
User: admin Company: smaRT Integrity Level: MEDIUM Description: saddelmagerne Version: 1.06.0001 | ||||
3220 | "C:\Users\admin\xyz.exe" | C:\Users\admin\xyz.exe | — | Scanned_Copy_65H632.jpg.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2436 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | xyz.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3964 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | xyz.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | "C:\Users\admin\xyz.exe" | C:\Users\admin\xyz.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4064 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | xyz.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3944 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\System\win-server.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 3 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2592 | C:\Users\admin\AppData\Roaming\System\win-server.exe | C:\Users\admin\AppData\Roaming\System\win-server.exe | cmd.exe | |
User: admin Integrity Level: HIGH Exit code: 3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Roaming\t1uef05u.rlp\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Roaming\t1uef05u.rlp\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
2900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2900.16872\Scanned_Copy_65H632.jpg.exe | — | |
MD5:— | SHA256:— | |||
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Local\Temp\tmpG288.tmp | executable | |
MD5:E906F205487A151B65FE8F32DF500590 | SHA256:B092AEE6A42C1CCD466213484FAC78B2B066EDD880E8FE91C8FF22EAD249D684 | |||
2900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12974\Scanned_Copy_65H632.jpg.exe | executable | |
MD5:E906F205487A151B65FE8F32DF500590 | SHA256:B092AEE6A42C1CCD466213484FAC78B2B066EDD880E8FE91C8FF22EAD249D684 | |||
2772 | xyz.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:D61DE7019AAF6E56CE99C9BB417D28A4 | SHA256:03BE4FFB18015BF65DCBB061205AA4BB26E8C9C7DBED1C6DA9B4FE71243EBEC9 | |||
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Roaming\t1uef05u.rlp.zip | compressed | |
MD5:AD5DC5EDA744B2A744D334CFE6566026 | SHA256:24BC8158C9BA81DAF4BA46D6F36990B56C5A3F79B08B09740104FFCE61B54F7A | |||
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Local\Temp\637016735493826250_9211c1ca-eaf7-4c1b-b3e8-ff988da9b8c4.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3276 | iexplore.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:914174B4773BF5E95637EC4DEF34708F | SHA256:5EA53C13C23BCED99D822F022CCB2D1C7F7400D7DAC44648A5D1115482847A4A | |||
3424 | Scanned_Copy_65H632.jpg.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini | text | |
MD5:6DC4449008536F212BB877255D8A5BED | SHA256:BCDE8024593BD4D7D8756831D245C2A7A34B1AD5AFDE06A3444C16CCAE8EE6E6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | Scanned_Copy_65H632.jpg.exe | GET | 200 | 52.55.255.113:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
3424 | Scanned_Copy_65H632.jpg.exe | GET | 200 | 52.55.255.113:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3276 | iexplore.exe | 185.165.153.92:3434 | — | — | NL | malicious |
3424 | Scanned_Copy_65H632.jpg.exe | 68.65.122.244:587 | premium73.web-hosting.com | Namecheap, Inc. | US | malicious |
3424 | Scanned_Copy_65H632.jpg.exe | 52.55.255.113:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com |
| shared |
premium73.web-hosting.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3276 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection |
3424 | Scanned_Copy_65H632.jpg.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3424 | Scanned_Copy_65H632.jpg.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3424 | Scanned_Copy_65H632.jpg.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3424 | Scanned_Copy_65H632.jpg.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |