File name: | 09404copy.iso |
Full analysis: | https://app.any.run/tasks/684096c4-8762-4f84-b3ef-4e2f088eae93 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | June 03, 2024, 20:28:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data '09404copy' |
MD5: | 0B8520B2CA11A564F4B6C5BEB2328E74 |
SHA1: | D2246EE97C6BBBD6A224AAE369E1FBCA761B7DF5 |
SHA256: | 670E7EFA76179B31CFE4B1F20A4EDBDEF2115FCE36A1CA64102A8422BA4E691F |
SSDEEP: | 24576:kltzBtVm4+/XwrvZ3wwe5cXxEsUIDu40SsQ+lgdtuEJWezlkaSwQZRetaUJ20Ny2:kltzBtVm4+/XwLZ3wwe5cXxRUIF0SsQp |
.atn | | | Photoshop Action (37.5) |
---|---|---|
.gmc | | | Game Music Creator Music (8.4) |
.abr | | | Adobe PhotoShop Brush (7.5) |
VolumeSize: | 812 KiB |
---|
VolumeModifyDate: | 2024:06:03 18:36:07.00+01:00 |
---|---|
VolumeCreateDate: | 2024:06:03 18:36:07.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2024:06:03 18:36:07+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 406 |
VolumeName: | 09404copy |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3980 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\09404copy.iso | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1184 | "C:\Users\admin\Desktop\09404copy.exe" | C:\Users\admin\Desktop\09404copy.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.8 Modules
| |||||||||||||||
1764 | "C:\Users\admin\Desktop\09404copy.exe" | C:\Users\admin\Desktop\09404copy.exe | 09404copy.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.8 Modules
AgentTesla(PID) Process(1764) 09404copy.exe Protocolsmtp Hostus2.smtp.mailhostbox.com Port587 Username[email protected] Password@iAiRA(0 | |||||||||||||||
1284 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\09404copy.iso | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3980 | WinRAR.exe | C:\Users\admin\Desktop\09404copy.exe | executable | |
MD5:CEC884228C39C9B4637636C642D5F280 | SHA256:91A58A047D6EA0C7DDB7C89B0A43A5453FD5D7145C78A836EF803D5FB0F65254 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1764 | 09404copy.exe | 208.91.199.224:587 | us2.smtp.mailhostbox.com | UNIFIEDLAYER-AS-1 | US | unknown |
Domain | IP | Reputation |
---|---|---|
us2.smtp.mailhostbox.com |
| unknown |