analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PI-10677.iso

Full analysis: https://app.any.run/tasks/e73561bf-a5b2-47d4-b1d9-da5d5a5ce182
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: July 17, 2019, 06:17:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
keylogger
stealer
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'PI-10677'
MD5:

DEA8626B7C844E1F68C673795D412056

SHA1:

241158BCD021913C7A187D2164E58163C821F340

SHA256:

5B27A0377622A48D395BDCC4A9325B670C17008E19BD552726756C962240B53A

SSDEEP:

24576:UAHnh+eWsN3skA4RV1Hom2KXMmHaERAQJQB7Lkowfs7g1josHcW5:jh+ZkldoPK8YaERjcPkowVjoI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PI-10677.exe (PID: 1824)
      • RegAsm.exe (PID: 3340)
    • Changes the autorun value in the registry

      • PI-10677.exe (PID: 1824)
      • RegAsm.exe (PID: 3340)
    • AGENTTESLA was detected

      • RegAsm.exe (PID: 3340)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3340)
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 2608)
    • Checks for external IP

      • RegAsm.exe (PID: 3340)
    • Suspicious files were dropped or overwritten

      • PI-10677.exe (PID: 1824)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3664)
      • PI-10677.exe (PID: 1824)
      • RegAsm.exe (PID: 3340)
    • Creates files in the user directory

      • RegAsm.exe (PID: 3340)
  • INFO

    • Manual execution by user

      • PI-10677.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 1482 kB

ISO

VolumeModifyDate: 2019:07:16 11:11:27.00+01:00
VolumeCreateDate: 2019:07:16 11:11:27.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2019:07:16 11:11:27+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 741
VolumeName: PI-10677
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winrar.exe pi-10677.exe #AGENTTESLA regasm.exe PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\PI-10677.isoC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3664"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PI-10677.iso"C:\Program Files\WinRAR\WinRAR.exe
rundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1824"C:\Users\admin\Desktop\PI-10677.exe" C:\Users\admin\Desktop\PI-10677.exe
explorer.exe
User:
admin
Company:
SystemPropertiesAdvanced
Integrity Level:
MEDIUM
Description:
atl110
Exit code:
0
Version:
730.93.52.907
3340"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PI-10677.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2608C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 013
Read events
909
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1824PI-10677.exeC:\Users\Public\UeCQTfoqPv.vbstext
MD5:E6E8FE0A62DDC9CEEAF7306BD5B1A537
SHA256:79E433C8E9722E922EADA78E5FD9D18B3A1DF2134BA00C85C225ADF8F4CF76FD
3340RegAsm.exeC:\Users\admin\AppData\Local\Temp\636989447667330000_bfd93599-2691-43f7-a95d-4028dba76d56.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3664WinRAR.exeC:\Users\admin\Desktop\PI-10677.exeexecutable
MD5:9B0F63F09B7320BB6D7196F3D3947F90
SHA256:ED18477D1FAACFF3DC742305261BDF9997FE239E3E53F75122CB9E244D6A2AB4
1824PI-10677.exeC:\Users\admin\AppData\Local\Temp\PkgMgr\dasHost.batexecutable
MD5:C2E44713107465BF84A3806FD37A89DF
SHA256:28B7B19ADBC0EBC577C532383E540AA2D4BE1537DD43373E394F57D9A2944B30
3340RegAsm.exeC:\Users\admin\AppData\Roaming\MyApp\MyApp.exeexecutable
MD5:278EDBD499374BF73621F8C1F969D894
SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3340
RegAsm.exe
GET
200
34.197.157.64:80
http://checkip.amazonaws.com/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
RegAsm.exe
208.91.199.224:587
smtp.ugcsa-com.com
PDR
US
shared
3340
RegAsm.exe
34.197.157.64:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 34.197.157.64
  • 18.211.215.84
  • 34.233.102.38
  • 52.202.139.131
  • 52.206.161.133
  • 52.6.79.229
shared
smtp.ugcsa-com.com
  • 208.91.199.224
  • 208.91.199.223
  • 208.91.198.143
  • 208.91.199.225
malicious

Threats

PID
Process
Class
Message
3340
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info