File name: | Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.ace |
Full analysis: | https://app.any.run/tasks/8a50e7fb-e5af-450e-b58d-2c5c25321df7 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 06, 2019, 15:46:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | 65E636D924FA7399D3C2CF8E71135F38 |
SHA1: | 14A47889FBC45590E97B3C529F40BFC3CE33978E |
SHA256: | 5DA68038CC72C5133FE9A4903BCE15D7327B84AE66A712AF5E72B5D7193BAAB7 |
SSDEEP: | 12288:D6j2OQRe5wmrvc0EQUUfwJqqdxaV2QhhgUrgsEW+Yriwz/Kw2bbfMFR8z46onvQo:D6SRe5wmjc0hUGwJqqdQV2YLrgsSY+w9 |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2872 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2752 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2336 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr4424.tmp | — | |
MD5:— | SHA256:— | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr4444.tmp | — | |
MD5:— | SHA256:— | |||
2336 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HIW9OSDYS0BYJHJHHH6B.temp | — | |
MD5:— | SHA256:— | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr6376.tmp | — | |
MD5:— | SHA256:— | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:F77B1C44241FC71F3083D9303DBFC15B | SHA256:C7CF0FC048AD1C2C01457F69752CE28558679115E01BEF6BD165725B74A14AA3 | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr6F4E.tmp | — | |
MD5:— | SHA256:— | |||
2752 | RegSvcs.exe | C:\Users\admin\AppData\Local\Temp\cdf91022-842b-489a-90ff-fe55423f070c | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1752.23175\Payment Advice-BCS_ECS9522019111121380024_1206_952.pdf.exe | executable | |
MD5:46683E02C8AFC65C763775B7AF2D6376 | SHA256:119724AE5E2F46CBE1E8E62C0A2C0F3DCB7240FC72A99642470F6B3097B0D92E | |||
2336 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:8F013239850EED8A0CD5E43AAC3EFF01 | SHA256:99B825698AD8D8DA6B9510C5CDC975B1BAE8E6DCFE5847EE41B68ECB266DC671 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2336 | opera.exe | GET | 200 | 172.217.18.99:80 | http://crl.pki.goog/gsr2/gsr2.crl | US | der | 950 b | whitelisted |
2336 | opera.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDO9A16CtM3pwgAAAAAHYok | US | der | 472 b | whitelisted |
2336 | opera.exe | GET | 200 | 172.217.22.14:80 | http://clients1.google.com/complete/search?q=google&client=opera-suggest-omnibox&hl=de | US | text | 105 b | whitelisted |
2336 | opera.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEESx0e36PsXVCAAAAAAdilY%3D | US | der | 471 b | whitelisted |
2336 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 564 b | whitelisted |
2336 | opera.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEB1k3YcxVRASCAAAAAAdilE%3D | US | der | 471 b | whitelisted |
2336 | opera.exe | GET | 400 | 185.26.182.94:80 | http://sitecheck2.opera.com/?host=google.com&hdn=5cHJ/4cINcLBl65Ju%2BOcTQ== | unknown | html | 150 b | whitelisted |
2336 | opera.exe | GET | 302 | 216.58.205.228:80 | http://www.google.com/ | US | html | 231 b | whitelisted |
2336 | opera.exe | GET | 301 | 172.217.22.46:80 | http://google.com/ | US | html | 219 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2336 | opera.exe | 172.217.22.46:80 | google.com | Google Inc. | US | whitelisted |
2752 | RegSvcs.exe | 208.91.198.143:587 | smtp.blowtac-tw.com | PDR | US | shared |
2336 | opera.exe | 185.26.182.94:80 | certs.opera.com | Opera Software AS | — | whitelisted |
2336 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2336 | opera.exe | 216.58.205.228:80 | www.google.com | Google Inc. | US | whitelisted |
2336 | opera.exe | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
2336 | opera.exe | 172.217.18.99:80 | crl.pki.goog | Google Inc. | US | whitelisted |
2336 | opera.exe | 172.217.22.14:443 | clients1.google.com | Google Inc. | US | whitelisted |
2336 | opera.exe | 172.217.22.14:80 | clients1.google.com | Google Inc. | US | whitelisted |
2336 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
smtp.blowtac-tw.com |
| malicious |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
clients1.google.com |
| whitelisted |
google.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
www.google.com |
| whitelisted |
crl.pki.goog |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2752 | RegSvcs.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2752 | RegSvcs.exe | A Network Trojan was detected | SPYWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |