analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://gvou7g.by.files.1drv.com/y4mXPAhz4vKUQwuVP4QQfciMaYSEVhvIZlLSsI0nORnVbpoUvXms2nkvt1ooYzE8gedfUtKShS5_C1tgsixVvvjeK1mA1WVCIfZ8OWFS8vflmCeSxCa9908Qk5lOSJ815K6F52upiWDH65hpCcT8BBNm5xtdzJkSs1FcOmTTBvYDtFlZyIhjlIDUTI5fRI2yM0dXPtOLud9arsqQU24BKwo1Q/RFQ%2318122018%23REF-MCC-PD%20PROJECT.rar?download&psid=1

Full analysis: https://app.any.run/tasks/09836d85-fa4a-4c2d-be10-1764339a3bb1
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: December 18, 2018, 12:33:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
keylogger
agenttesla
Indicators:
MD5:

548FAC0FA7B3FA0B588F653D0E2892B4

SHA1:

4205DB837A8B51452560CB6338F99DD11930B85F

SHA256:

6CD5C3DEE426F9AB686CF33AB17214C88372537726827365CCF90400EEF07067

SSDEEP:

6:2yaYX25lKaMGzlwFAFz4OKlv3evJ+x8PuBqj+WkbIuWDge1kjHXv9n:2hYX25nuAFUNlv3eegpkUnDgqk7/9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RFQ#18122018#REF-MCC-PD PROJECT.exe (PID: 3764)
      • winupdate.exe (PID: 3484)
      • winupdate.exe (PID: 2436)
    • Changes the autorun value in the registry

      • winupdate.exe (PID: 2436)
      • winupdate.exe (PID: 3484)
    • Detected AgentTesla Keylogger

      • winupdate.exe (PID: 3484)
    • Actions looks like stealing of personal data

      • winupdate.exe (PID: 3484)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3556)
      • WinRAR.exe (PID: 3200)
      • WinRAR.exe (PID: 2296)
      • winupdate.exe (PID: 3484)
    • Application launched itself

      • WinRAR.exe (PID: 2296)
      • winupdate.exe (PID: 2436)
    • Starts CMD.EXE for commands execution

      • RFQ#18122018#REF-MCC-PD PROJECT.exe (PID: 3764)
    • Reads Windows Product ID

      • winupdate.exe (PID: 3484)
    • Checks for external IP

      • winupdate.exe (PID: 3484)
    • Creates files in the user directory

      • winupdate.exe (PID: 3484)
    • Reads Internet Cache Settings

      • winupdate.exe (PID: 3484)
    • Connects to SMTP port

      • winupdate.exe (PID: 3484)
    • Loads DLL from Mozilla Firefox

      • winupdate.exe (PID: 3484)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2804)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3092)
      • iexplore.exe (PID: 2804)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2804)
      • winupdate.exe (PID: 3484)
    • Changes internet zones settings

      • iexplore.exe (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winrar.exe winrar.exe rfq#18122018#ref-mcc-pd project.exe no specs taskmgr.exe no specs cmd.exe cmd.exe no specs winupdate.exe #AGENTTESLA winupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2804 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2296"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\RFQ#18122018#REF-MCC-PD%20PROJECT[1].rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3200"C:\Program Files\WinRAR\WinRAR.exe" -elevate2296C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3764"C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exeWinRAR.exe
User:
admin
Company:
adod inc
Integrity Level:
MEDIUM
Description:
adod document
Exit code:
0
Version:
1.0.2.7
2184"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3556"C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe" "C:\Users\admin\AppData\Local\winupdate.exe"C:\Windows\System32\cmd.exe
RFQ#18122018#REF-MCC-PD PROJECT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3788"C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Local\winupdate.exe"C:\Windows\System32\cmd.exeRFQ#18122018#REF-MCC-PD PROJECT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2436"C:\Users\admin\AppData\Local\winupdate.exe"C:\Users\admin\AppData\Local\winupdate.exe
cmd.exe
User:
admin
Company:
adod inc
Integrity Level:
MEDIUM
Description:
adod document
Exit code:
0
Version:
1.0.2.7
3484"C:\Users\admin\AppData\Local\winupdate.exe"C:\Users\admin\AppData\Local\winupdate.exe
winupdate.exe
User:
admin
Company:
adod inc
Integrity Level:
MEDIUM
Description:
adod document
Version:
1.0.2.7
Total events
1 348
Read events
1 218
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2804iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4DB4C6D6DBD61A30.TMP
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0B4C56AA0F9010A3.TMP
MD5:
SHA256:
2804iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{37746C55-02C1-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018121820181219\index.datdat
MD5:B47F6B1659B1ADA2A2521A24439250BB
SHA256:42ADB2FFBEDB8141AB4652673F4678CE6D16A67E16BC7983935DE3DA1914F45B
2804iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018121820181219\index.datdat
MD5:25355914E69D9C19872F17B4A835681F
SHA256:145F86DCF7787ED027A65F04D6A50D4C8EFDFD136D030C855347C43822A633B6
3556cmd.exeC:\Users\admin\AppData\Local\winupdate.exeexecutable
MD5:3F1DEA9837C033E057596BA2C8ABF776
SHA256:81AFE7082186F7A7B9B7E90906A7E99BFF12E02BA3EB9FE5082FBBEE88AC6B3B
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:BCF94C03420CC33FC20BEC17F79A1738
SHA256:DA6DE13102708580C825328210D3D5A8D91690A14D931F9F09FA94C5EDC0FD01
2296WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exeexecutable
MD5:3F1DEA9837C033E057596BA2C8ABF776
SHA256:81AFE7082186F7A7B9B7E90906A7E99BFF12E02BA3EB9FE5082FBBEE88AC6B3B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3484
winupdate.exe
GET
200
216.146.43.71:80
http://checkip.dyndns.org/
US
html
104 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
iexplore.exe
13.107.42.12:443
gvou7g.by.files.1drv.com
Microsoft Corporation
US
suspicious
2804
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3484
winupdate.exe
217.70.178.9:587
mail.gandi.net
GANDI SAS
FR
malicious
3484
winupdate.exe
216.146.43.71:80
checkip.dyndns.org
Dynamic Network Services, Inc.
US
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
gvou7g.by.files.1drv.com
  • 13.107.42.12
whitelisted
checkip.dyndns.org
  • 216.146.43.71
  • 216.146.43.70
  • 131.186.113.70
shared
mail.gandi.net
  • 217.70.178.9
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
3484
winupdate.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
3484
winupdate.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
1 ETPRO signatures available at the full report
No debug info