File name: | PO.zip |
Full analysis: | https://app.any.run/tasks/864b2836-bab7-4575-a4a8-337b7a3767da |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | June 19, 2019, 14:01:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 028AD02B2782226F0699837588ECCE3F |
SHA1: | 4155E7065EF6435247FB4F33527276D16B645588 |
SHA256: | 2FF1F9885D26F61B433A685B56C135259C590F6CF772303FE2A1A47E12D6C32B |
SSDEEP: | 6144:EX3iIyRFW4UOTam8hRkGPsrRzJB9T19938NuwoLb6BsbLOC:EtK7U15hi0srhfNsupqCbLz |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | PO.bat |
---|---|
ZipUncompressedSize: | 475136 |
ZipCompressedSize: | 362829 |
ZipCRC: | 0xb4491522 |
ZipModifyDate: | 2000:06:05 23:33:16 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2496 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat" | C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: BRACHISTOCEPHALY Exit code: 0 Version: 1.04.0005 | ||||
2284 | C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat" | C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat | PO.bat | |
User: admin Integrity Level: MEDIUM Description: BRACHISTOCEPHALY Version: 1.04.0005 | ||||
2568 | REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | PO.bat |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42914\PO.bat | executable | |
MD5:DF20DB11AAA5564F2DC910A2CD50A88B | SHA256:93AD969B23572F706EBAD66ED73E6437845E92D9763FAE1BCFF8951610FFFC26 | |||
2284 | PO.bat | C:\Users\admin\AppData\Roaming\MyApp\MyApp.exe | executable | |
MD5:DF20DB11AAA5564F2DC910A2CD50A88B | SHA256:93AD969B23572F706EBAD66ED73E6437845E92D9763FAE1BCFF8951610FFFC26 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2284 | PO.bat | GET | 200 | 34.233.102.38:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2284 | PO.bat | 208.91.199.225:587 | us2.smtp.mailhostbox.com | PDR | US | shared |
2284 | PO.bat | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
us2.smtp.mailhostbox.com |
| shared |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2284 | PO.bat | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2284 | PO.bat | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |