URL: | http://theubergroups.com/winos/ion.exe |
Full analysis: | https://app.any.run/tasks/7b2f87d2-ed6e-4c40-9336-8ece28a69111 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | January 22, 2019, 17:22:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 47E06836EB64DA6F1AE1C537A3B925BE |
SHA1: | 11A865D33B2D7D1EB0B85D42EF6D8C197E3CA40E |
SHA256: | 72C7E46BDB4C4F974D1E85979AD2BB179FECCE9B1DC5DB8EE15FDDAC91A8C34D |
SSDEEP: | 3:N1KKN1Hxu0MkMKL0Cn:CKN1Rj/LL0C |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3220 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ion[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ion[1].exe | iexplore.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD4B35091EE1F256C.TMP | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF7555DCA05FC15682.TMP | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{460FA3AF-1E6A-11E9-91D7-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:3E9D2A7687346729F1B19616C0853A71 | SHA256:1BEF65F315EB14B7E8F5C2504540174A32901C62AED62A574B42A78C506152C4 | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:32C220003C937C49EFC58E7E03C8C411 | SHA256:514A751F142901BFEC6AD19491484C73B6399879B92CD68C436FD904B6A64FE8 | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:C0EFF6E5324AFCCC6E10B4BE18711E38 | SHA256:0F25367C66FFEA1BE5F075CAEA286E7C7A858AEB07D487A965D26FF4CF175332 | |||
3068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ion[1].exe | executable | |
MD5:8D57ADFDCB089759894BCC52F2344EDC | SHA256:FCAB04DADA4CE3264B2C63B978F9AEC31466B0701149139728DF5FDBCBF8463A | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ion[1].exe | executable | |
MD5:8D57ADFDCB089759894BCC52F2344EDC | SHA256:FCAB04DADA4CE3264B2C63B978F9AEC31466B0701149139728DF5FDBCBF8463A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3220 | ion[1].exe | GET | 200 | 52.0.208.170:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
3068 | iexplore.exe | GET | 200 | 185.224.138.174:80 | http://theubergroups.com/winos/ion.exe | unknown | executable | 355 Kb | suspicious |
2940 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | iexplore.exe | 185.224.138.174:80 | theubergroups.com | — | — | suspicious |
2940 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3220 | ion[1].exe | 52.0.208.170:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3220 | ion[1].exe | 208.91.199.223:587 | smtp.pgm-gruop.eu | PDR | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
theubergroups.com |
| unknown |
smtp.pgm-gruop.eu |
| shared |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3068 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3068 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3220 | ion[1].exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3220 | ion[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3220 | ion[1].exe | A Network Trojan was detected | SC SPYWARE Possible account leak via SMTP |
3220 | ion[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |