analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

QOUTE_JPEG56A.7z

Full analysis: https://app.any.run/tasks/247535d7-0141-4980-a78e-d3911d4d6e9a
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: July 17, 2019, 07:22:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
keylogger
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E417590BA8036CC6BE645A3C6E9C1987

SHA1:

0FBF177EA35A49ECB7BE515EB420C65B56B27790

SHA256:

69D138C765C880C06DC3AE68CCF413D6A1BF79A746B8BFB41062C496BE9C30A2

SSDEEP:

24576:6YmHtqBmirJG8Pu0S4AEjGjJTOYXIesIYCCRu0KOAHbVtEn:6YmNWJxpjGjJawIePlCRu9l7Vw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • QOUTE_JPEG56A.exe (PID: 2888)
    • AGENTTESLA was detected

      • RegAsm.exe (PID: 3796)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3796)
  • SUSPICIOUS

    • Checks for external IP

      • RegAsm.exe (PID: 3796)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2152)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3260)
      • WinRAR.exe (PID: 2152)
      • QOUTE_JPEG56A.exe (PID: 2888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe explorer.exe no specs qoute_jpeg56a.exe no specs #AGENTTESLA regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3512"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\QOUTE_JPEG56A.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2152"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\QOUTE_JPEG56A.r00"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3260"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2888"C:\Users\admin\Desktop\QOUTE_JPEG56A.exe" C:\Users\admin\Desktop\QOUTE_JPEG56A.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3796"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
QOUTE_JPEG56A.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
847
Read events
803
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3512WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3512.18186\QOUTE_JPEG56A.r00
MD5:
SHA256:
3796RegAsm.exeC:\Users\admin\AppData\Local\Temp\636989486997255000_6bf742de-c947-4ebd-88af-7496947acb0e.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3512WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3512.19041\QOUTE_JPEG56A.r00compressed
MD5:69DF540F6CA832341723CC957DC56A26
SHA256:FF95AC9053B73E07E0B40FAC82A71744ECF64290CABF51D81A1742953B3439C1
2152WinRAR.exeC:\Users\admin\Desktop\QOUTE_JPEG56A.exeexecutable
MD5:9FC56CD1466C7031070EDB8ACD032796
SHA256:A11F468EDB623A0290740FE089240047CD5A016375F54A74E4A81A233A6B1919
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3796
RegAsm.exe
GET
200
52.206.161.133:80
http://checkip.amazonaws.com/
US
text
16 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
RegAsm.exe
52.206.161.133:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3796
RegAsm.exe
208.91.199.224:587
smtp.focalmedla.com
PDR
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 52.206.161.133
  • 52.6.79.229
  • 34.233.102.38
  • 52.202.139.131
  • 18.211.215.84
  • 34.197.157.64
shared
smtp.focalmedla.com
  • 208.91.199.224
  • 208.91.199.225
  • 208.91.198.143
  • 208.91.199.223
malicious

Threats

PID
Process
Class
Message
3796
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3796
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3796
RegAsm.exe
Generic Protocol Command Decode
SURICATA SMTP invalid reply
2 ETPRO signatures available at the full report
No debug info