analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC PO 011119,DOC.arj

Full analysis: https://app.any.run/tasks/a6a7ed71-a1aa-4ead-b239-94211cd7e450
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: January 11, 2019, 13:32:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

ACB521FE0D5370F3D3AC619F9A447D80

SHA1:

C8C2D91654A7077F1123B02D6F89099246888A60

SHA256:

32ACAA1A410D62B60DA170BF4B34ED3D2B684DF5E722ECC9E0AE23E20AEC14E5

SSDEEP:

6144:r7/F4qzBI4d6s0OD+aVf8owSIwJj9AUBYpcxFpGGrBDQokii6MgDil:r7F4AW4d6FOiCZLV9zqcxvGABVMgGl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • pol.exe (PID: 2288)
      • pol.exe (PID: 3756)
    • Changes settings of System certificates

      • pol.exe (PID: 3756)
    • Actions looks like stealing of personal data

      • pol.exe (PID: 3756)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pol.exe (PID: 3756)
    • Application launched itself

      • pol.exe (PID: 2288)
    • Checks for external IP

      • pol.exe (PID: 3756)
    • Loads DLL from Mozilla Firefox

      • pol.exe (PID: 3756)
    • Adds / modifies Windows certificates

      • pol.exe (PID: 3756)
    • Connects to SMTP port

      • pol.exe (PID: 3756)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs pol.exe no specs pol.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC PO 011119,DOC.arj"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2288"C:\Users\admin\Desktop\pol.exe" C:\Users\admin\Desktop\pol.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3756"C:\Users\admin\Desktop\pol.exe" C:\Users\admin\Desktop\pol.exe
pol.exe
User:
admin
Integrity Level:
MEDIUM
Total events
520
Read events
476
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2988.9268\pol.exe
MD5:
SHA256:
3756pol.exeC:\Users\admin\AppData\Local\Temp\tmpG953.tmpexecutable
MD5:52E693F2B24E39521BB46FC7F6FEEC64
SHA256:A85F826A191D541A2B7693710D4B44ACE6D05370D2D5B417757990F9183BA688
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3756
pol.exe
GET
200
216.146.43.71:80
http://checkip.dyndns.org/
US
html
106 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3756
pol.exe
192.185.175.39:587
mail.mundiroyal.com
CyrusOne LLC
US
unknown
3756
pol.exe
216.146.43.71:80
checkip.dyndns.org
Dynamic Network Services, Inc.
US
shared

DNS requests

Domain
IP
Reputation
checkip.dyndns.org
  • 216.146.43.71
  • 131.186.113.70
  • 216.146.43.70
shared
mail.mundiroyal.com
  • 192.185.175.39
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
3756
pol.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
3756
pol.exe
A Network Trojan was detected
MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla)
3756
pol.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
1 ETPRO signatures available at the full report
No debug info