analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.ace

Full analysis: https://app.any.run/tasks/8a50e7fb-e5af-450e-b58d-2c5c25321df7
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: December 06, 2019, 15:46:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
agenttesla
rat
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5:

65E636D924FA7399D3C2CF8E71135F38

SHA1:

14A47889FBC45590E97B3C529F40BFC3CE33978E

SHA256:

5DA68038CC72C5133FE9A4903BCE15D7327B84AE66A712AF5E72B5D7193BAAB7

SSDEEP:

12288:D6j2OQRe5wmrvc0EQUUfwJqqdxaV2QhhgUrgsEW+Yriwz/Kw2bbfMFR8z46onvQo:D6SRe5wmjc0hUGwJqqdQV2YLrgsSY+w9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe (PID: 2872)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2752)
    • AGENTTESLA detected

      • RegSvcs.exe (PID: 2752)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1752)
    • Connects to SMTP port

      • RegSvcs.exe (PID: 2752)
  • INFO

    • Manual execution by user

      • opera.exe (PID: 2336)
    • Creates files in the user directory

      • opera.exe (PID: 2336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe payment advice-bcs_ecs9522019111121380024_1206_952.pdf.exe no specs #AGENTTESLA regsvcs.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2872"C:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2752"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2336"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Total events
742
Read events
609
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
40
Text files
27
Unknown types
11

Dropped files

PID
Process
Filename
Type
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr4424.tmp
MD5:
SHA256:
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr4444.tmp
MD5:
SHA256:
2336opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
2336opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HIW9OSDYS0BYJHJHHH6B.temp
MD5:
SHA256:
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr6376.tmp
MD5:
SHA256:
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:F77B1C44241FC71F3083D9303DBFC15B
SHA256:C7CF0FC048AD1C2C01457F69752CE28558679115E01BEF6BD165725B74A14AA3
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr6F4E.tmp
MD5:
SHA256:
2752RegSvcs.exeC:\Users\admin\AppData\Local\Temp\cdf91022-842b-489a-90ff-fe55423f070csqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
1752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exeexecutable
MD5:46683E02C8AFC65C763775B7AF2D6376
SHA256:119724AE5E2F46CBE1E8E62C0A2C0F3DCB7240FC72A99642470F6B3097B0D92E
2336opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:8F013239850EED8A0CD5E43AAC3EFF01
SHA256:99B825698AD8D8DA6B9510C5CDC975B1BAE8E6DCFE5847EE41B68ECB266DC671
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2336
opera.exe
GET
200
172.217.18.99:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
2336
opera.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDO9A16CtM3pwgAAAAAHYok
US
der
472 b
whitelisted
2336
opera.exe
GET
200
172.217.22.14:80
http://clients1.google.com/complete/search?q=google&client=opera-suggest-omnibox&hl=de
US
text
105 b
whitelisted
2336
opera.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEESx0e36PsXVCAAAAAAdilY%3D
US
der
471 b
whitelisted
2336
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
2336
opera.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEB1k3YcxVRASCAAAAAAdilE%3D
US
der
471 b
whitelisted
2336
opera.exe
GET
400
185.26.182.94:80
http://sitecheck2.opera.com/?host=google.com&hdn=5cHJ/4cINcLBl65Ju%2BOcTQ==
unknown
html
150 b
whitelisted
2336
opera.exe
GET
302
216.58.205.228:80
http://www.google.com/
US
html
231 b
whitelisted
2336
opera.exe
GET
301
172.217.22.46:80
http://google.com/
US
html
219 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2336
opera.exe
172.217.22.46:80
google.com
Google Inc.
US
whitelisted
2752
RegSvcs.exe
208.91.198.143:587
smtp.blowtac-tw.com
PDR
US
shared
2336
opera.exe
185.26.182.94:80
certs.opera.com
Opera Software AS
whitelisted
2336
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2336
opera.exe
216.58.205.228:80
www.google.com
Google Inc.
US
whitelisted
2336
opera.exe
216.58.205.228:443
www.google.com
Google Inc.
US
whitelisted
2336
opera.exe
172.217.18.99:80
crl.pki.goog
Google Inc.
US
whitelisted
2336
opera.exe
172.217.22.14:443
clients1.google.com
Google Inc.
US
whitelisted
2336
opera.exe
172.217.22.14:80
clients1.google.com
Google Inc.
US
whitelisted
2336
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
smtp.blowtac-tw.com
  • 208.91.198.143
  • 208.91.199.224
  • 208.91.199.225
  • 208.91.199.223
malicious
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.22.14
whitelisted
google.com
  • 172.217.22.46
whitelisted
sitecheck2.opera.com
  • 185.26.182.94
  • 185.26.182.111
  • 185.26.182.93
  • 185.26.182.112
whitelisted
www.google.com
  • 216.58.205.228
whitelisted
crl.pki.goog
  • 172.217.18.99
whitelisted
ocsp.pki.goog
  • 172.217.18.99
whitelisted
ssl.gstatic.com
  • 216.58.210.3
whitelisted

Threats

PID
Process
Class
Message
2752
RegSvcs.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2752
RegSvcs.exe
A Network Trojan was detected
SPYWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
No debug info