File name:

09404copy.iso

Full analysis: https://app.any.run/tasks/684096c4-8762-4f84-b3ef-4e2f088eae93
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: June 03, 2024, 20:28:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
agenttesla
stealer
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data '09404copy'
MD5:

0B8520B2CA11A564F4B6C5BEB2328E74

SHA1:

D2246EE97C6BBBD6A224AAE369E1FBCA761B7DF5

SHA256:

670E7EFA76179B31CFE4B1F20A4EDBDEF2115FCE36A1CA64102A8422BA4E691F

SSDEEP:

24576:kltzBtVm4+/XwrvZ3wwe5cXxEsUIDu40SsQ+lgdtuEJWezlkaSwQZRetaUJ20Ny2:kltzBtVm4+/XwLZ3wwe5cXxRUIF0SsQp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • 09404copy.exe (PID: 1764)
    • Steals credentials from Web Browsers

      • 09404copy.exe (PID: 1764)
    • AGENTTESLA has been detected (YARA)

      • 09404copy.exe (PID: 1764)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 09404copy.exe (PID: 1184)
    • Reads the Internet Settings

      • 09404copy.exe (PID: 1184)
    • Application launched itself

      • 09404copy.exe (PID: 1184)
    • Connects to SMTP port

      • 09404copy.exe (PID: 1764)
    • Accesses Microsoft Outlook profiles

      • 09404copy.exe (PID: 1764)
  • INFO

    • Reads the computer name

      • 09404copy.exe (PID: 1184)
      • 09404copy.exe (PID: 1764)
      • wmpnscfg.exe (PID: 1284)
    • Checks supported languages

      • 09404copy.exe (PID: 1764)
      • 09404copy.exe (PID: 1184)
      • wmpnscfg.exe (PID: 1284)
    • Reads the machine GUID from the registry

      • 09404copy.exe (PID: 1764)
      • 09404copy.exe (PID: 1184)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)
    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)
    • Reads Environment values

      • 09404copy.exe (PID: 1764)
    • Manual execution by a user

      • 09404copy.exe (PID: 1184)
      • wmpnscfg.exe (PID: 1284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(1764) 09404copy.exe
Protocolsmtp
Hostus2.smtp.mailhostbox.com
Port587
Password@iAiRA(0
No Malware configuration.

TRiD

.atn | Photoshop Action (37.5)
.gmc | Game Music Creator Music (8.4)
.abr | Adobe PhotoShop Brush (7.5)

EXIF

Composite

VolumeSize: 812 KiB

ISO

VolumeModifyDate: 2024:06:03 18:36:07.00+01:00
VolumeCreateDate: 2024:06:03 18:36:07.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2024:06:03 18:36:07+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 406
VolumeName: 09404copy
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 09404copy.exe #AGENTTESLA 09404copy.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3980"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\09404copy.isoC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1184"C:\Users\admin\Desktop\09404copy.exe" C:\Users\admin\Desktop\09404copy.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.8
Modules
Images
c:\users\admin\desktop\09404copy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1764"C:\Users\admin\Desktop\09404copy.exe"C:\Users\admin\Desktop\09404copy.exe
09404copy.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.8
Modules
Images
c:\users\admin\desktop\09404copy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
AgentTesla
(PID) Process(1764) 09404copy.exe
Protocolsmtp
Hostus2.smtp.mailhostbox.com
Port587
Password@iAiRA(0
1284"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 642
Read events
4 610
Write events
32
Delete events
0

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\09404copy.iso
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980WinRAR.exeC:\Users\admin\Desktop\09404copy.exeexecutable
MD5:CEC884228C39C9B4637636C642D5F280
SHA256:91A58A047D6EA0C7DDB7C89B0A43A5453FD5D7145C78A836EF803D5FB0F65254
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1764
09404copy.exe
208.91.199.224:587
us2.smtp.mailhostbox.com
UNIFIEDLAYER-AS-1
US
unknown

DNS requests

Domain
IP
Reputation
us2.smtp.mailhostbox.com
  • 208.91.199.224
  • 208.91.199.225
  • 208.91.198.143
  • 208.91.199.223
unknown

Threats

No threats detected
No debug info