analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 09404copy.iso |
| Full analysis: | https://app.any.run/tasks/684096c4-8762-4f84-b3ef-4e2f088eae93 |
| Verdict: | Malicious activity |
| Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
| Analysis date: | June 03, 2024, 20:28:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-iso9660-image |
| File info: | ISO 9660 CD-ROM filesystem data '09404copy' |
| MD5: | 0B8520B2CA11A564F4B6C5BEB2328E74 |
| SHA1: | D2246EE97C6BBBD6A224AAE369E1FBCA761B7DF5 |
| SHA256: | 670E7EFA76179B31CFE4B1F20A4EDBDEF2115FCE36A1CA64102A8422BA4E691F |
| SSDEEP: | 24576:kltzBtVm4+/XwrvZ3wwe5cXxEsUIDu40SsQ+lgdtuEJWezlkaSwQZRetaUJ20Ny2:kltzBtVm4+/XwLZ3wwe5cXxRUIF0SsQp |
MALICIOUS
Steals credentials from Web Browsers
- 09404copy.exe (PID: 1764)
Actions looks like stealing of personal data
- 09404copy.exe (PID: 1764)
AGENTTESLA has been detected (YARA)
- 09404copy.exe (PID: 1764)
SUSPICIOUS
Reads the Internet Settings
- 09404copy.exe (PID: 1184)
Application launched itself
- 09404copy.exe (PID: 1184)
Connects to SMTP port
- 09404copy.exe (PID: 1764)
Reads security settings of Internet Explorer
- 09404copy.exe (PID: 1184)
Accesses Microsoft Outlook profiles
- 09404copy.exe (PID: 1764)
INFO
Checks supported languages
- 09404copy.exe (PID: 1184)
- 09404copy.exe (PID: 1764)
- wmpnscfg.exe (PID: 1284)
Reads the computer name
- 09404copy.exe (PID: 1184)
- 09404copy.exe (PID: 1764)
- wmpnscfg.exe (PID: 1284)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3980)
Reads Environment values
- 09404copy.exe (PID: 1764)
Manual execution by a user
- 09404copy.exe (PID: 1184)
- wmpnscfg.exe (PID: 1284)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3980)
Reads the machine GUID from the registry
- 09404copy.exe (PID: 1184)
- 09404copy.exe (PID: 1764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
AgentTesla
(PID) Process(1764) 09404copy.exe
Protocolsmtp
Hostus2.smtp.mailhostbox.com
Port587
Username[email protected]
Password@iAiRA(0
TRiD
| .atn | | | Photoshop Action (37.5) |
|---|---|---|
| .gmc | | | Game Music Creator Music (8.4) |
| .abr | | | Adobe PhotoShop Brush (7.5) |
EXIF
Composite
| VolumeSize: | 812 KiB |
|---|
ISO
| VolumeModifyDate: | 2024:06:03 18:36:07.00+01:00 |
|---|---|
| VolumeCreateDate: | 2024:06:03 18:36:07.00+01:00 |
| Software: | PowerISO |
| RootDirectoryCreateDate: | 2024:06:03 18:36:07+01:00 |
| VolumeBlockSize: | 2048 |
| VolumeBlockCount: | 406 |
| VolumeName: | 09404copy |
| System: | Win32 |
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3980 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\09404copy.iso | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1184 | "C:\Users\admin\Desktop\09404copy.exe" | C:\Users\admin\Desktop\09404copy.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.8 Modules
| |||||||||||||||
| 1764 | "C:\Users\admin\Desktop\09404copy.exe" | C:\Users\admin\Desktop\09404copy.exe | 09404copy.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.8 Modules
AgentTesla(PID) Process(1764) 09404copy.exe Protocolsmtp Hostus2.smtp.mailhostbox.com Port587 Username[email protected] Password@iAiRA(0 | |||||||||||||||
| 1284 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 642
Read events
4 610
Write events
32
Delete events
0
Modification events
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\09404copy.iso | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3980 | WinRAR.exe | C:\Users\admin\Desktop\09404copy.exe | executable | |
MD5:CEC884228C39C9B4637636C642D5F280 | SHA256:91A58A047D6EA0C7DDB7C89B0A43A5453FD5D7145C78A836EF803D5FB0F65254 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1764 | 09404copy.exe | 208.91.199.224:587 | us2.smtp.mailhostbox.com | UNIFIEDLAYER-AS-1 | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
us2.smtp.mailhostbox.com |
| shared |