analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO.zip

Full analysis: https://app.any.run/tasks/864b2836-bab7-4575-a4a8-337b7a3767da
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: June 19, 2019, 14:01:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
stealer
agenttesla
evasion
trojan
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

028AD02B2782226F0699837588ECCE3F

SHA1:

4155E7065EF6435247FB4F33527276D16B645588

SHA256:

2FF1F9885D26F61B433A685B56C135259C590F6CF772303FE2A1A47E12D6C32B

SSDEEP:

6144:EX3iIyRFW4UOTam8hRkGPsrRzJB9T19938NuwoLb6BsbLOC:EtK7U15hi0srhfNsupqCbLz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PO.bat (PID: 2284)
      • PO.bat (PID: 2496)
    • Actions looks like stealing of personal data

      • PO.bat (PID: 2284)
    • Detected AgentTesla Keylogger

      • PO.bat (PID: 2284)
    • Changes settings of System certificates

      • PO.bat (PID: 2284)
    • Changes the autorun value in the registry

      • PO.bat (PID: 2284)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2956)
      • PO.bat (PID: 2496)
    • Application launched itself

      • PO.bat (PID: 2496)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2956)
      • PO.bat (PID: 2284)
    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 2956)
    • Creates files in the user directory

      • PO.bat (PID: 2284)
    • Uses REG.EXE to modify Windows registry

      • PO.bat (PID: 2284)
    • Adds / modifies Windows certificates

      • PO.bat (PID: 2284)
    • Checks for external IP

      • PO.bat (PID: 2284)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PO.bat
ZipUncompressedSize: 475136
ZipCompressedSize: 362829
ZipCRC: 0xb4491522
ZipModifyDate: 2000:06:05 23:33:16
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe po.bat no specs #AGENTTESLA po.bat reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2496"C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.batWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BRACHISTOCEPHALY
Exit code:
0
Version:
1.04.0005
2284C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat
PO.bat
User:
admin
Integrity Level:
MEDIUM
Description:
BRACHISTOCEPHALY
Version:
1.04.0005
2568REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\system32\REG.exePO.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
529
Read events
486
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.batexecutable
MD5:DF20DB11AAA5564F2DC910A2CD50A88B
SHA256:93AD969B23572F706EBAD66ED73E6437845E92D9763FAE1BCFF8951610FFFC26
2284PO.batC:\Users\admin\AppData\Roaming\MyApp\MyApp.exeexecutable
MD5:DF20DB11AAA5564F2DC910A2CD50A88B
SHA256:93AD969B23572F706EBAD66ED73E6437845E92D9763FAE1BCFF8951610FFFC26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2284
PO.bat
GET
200
34.233.102.38:80
http://checkip.amazonaws.com/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2284
PO.bat
208.91.199.225:587
us2.smtp.mailhostbox.com
PDR
US
shared
2284
PO.bat
34.233.102.38:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
us2.smtp.mailhostbox.com
  • 208.91.199.225
  • 208.91.199.223
  • 208.91.198.143
  • 208.91.199.224
shared
checkip.amazonaws.com
  • 34.233.102.38
  • 52.6.79.229
  • 52.200.125.74
  • 52.202.139.131
  • 52.206.161.133
  • 18.211.215.84
shared

Threats

PID
Process
Class
Message
2284
PO.bat
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2284
PO.bat
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info