analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Shipping Details.ace

Full analysis: https://app.any.run/tasks/d98cebf7-23e7-47e1-abe4-875d4b532fe7
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: November 30, 2020, 00:41:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
agenttesla
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5:

11E88A20552BC318E875F60D01E1A2F0

SHA1:

E81FD99B743EF8FA8E0428DBB4AE917BFE51C119

SHA256:

754A3E830B7E83E3E29D1C0DC83A7365089B408F6E6A3381D66FBFB8D4EEE2D7

SSDEEP:

49152:yJD0ZqRsiO42/E8kZL66vvGA4F9UiI8bkgqqj74oC5vS/Kmat:MD0eON/Eb26vvyF9xI8bkgqqj7NC5uat

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Shipping Details.exe (PID: 3104)
      • Shipping Details.exe (PID: 1532)

    • Writes to a start menu file

      • Shipping Details.exe (PID: 3104)

    • Changes the autorun value in the registry

      • Shipping Details.exe (PID: 3104)

    • Changes the login/logoff helper path in the registry

      • Shipping Details.exe (PID: 3104)

    • Changes settings of System certificates

      • Shipping Details.exe (PID: 3104)
      • Shipping Details.exe (PID: 1532)

    • Disables Windows Defender

      • Shipping Details.exe (PID: 3104)

    • AGENTTESLA was detected

      • Shipping Details.exe (PID: 1532)

    • Actions looks like stealing of personal data

      • Shipping Details.exe (PID: 1532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Shipping Details.exe (PID: 3104)

    • Creates files in the user directory

      • Shipping Details.exe (PID: 3104)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 2452)
      • powershell.exe (PID: 2952)
      • powershell.exe (PID: 1692)

    • Drops a file with a compile date too recent

      • Shipping Details.exe (PID: 3104)

    • Reads Environment values

      • Shipping Details.exe (PID: 3104)

    • Executes PowerShell scripts

      • Shipping Details.exe (PID: 3104)

    • Application launched itself

      • Shipping Details.exe (PID: 3104)

    • Adds / modifies Windows certificates

      • Shipping Details.exe (PID: 3104)
      • Shipping Details.exe (PID: 1532)

  • INFO

    • Manual execution by user

      • Shipping Details.exe (PID: 3104)

    • Reads settings of System Certificates

      • Shipping Details.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs shipping details.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs #AGENTTESLA shipping details.exe

Process information

PID
CMD
Path
Indicators
Parent process
2532"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Shipping Details.ace"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3104"C:\Users\admin\Desktop\Shipping Details.exe" C:\Users\admin\Desktop\Shipping Details.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2660"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeShipping Details.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2952"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeShipping Details.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1692"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeShipping Details.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2452"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\Desktop\Shipping Details.exe" -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeShipping Details.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1532"C:\Users\admin\Desktop\Shipping Details.exe"C:\Users\admin\Desktop\Shipping Details.exe
Shipping Details.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 632
Read events
1 336
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2532.23091\Shipping Details.exe
MD5:
SHA256:
2660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XDKINBJC9FWE2CISEGC6.temp
MD5:
SHA256:
2952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAIMR4WEZ9ZHXLCXYZOL.temp
MD5:
SHA256:
1692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2E27ACK8GYYG7EOZWHV3.temp
MD5:
SHA256:
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBU5K7TJIFGW4GVF71A2.temp
MD5:
SHA256:
1692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15a37d.TMPbinary
MD5:0D6446454B8F30B91D30E67B31109113
SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D
1692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0D6446454B8F30B91D30E67B31109113
SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D
3104Shipping Details.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exeexecutable
MD5:CC8EF813FB4C4327BE560B7D93477255
SHA256:9D7CA9F4392F37E6985E5E215769CA04E656DEE089E41192ACA270E0829915CD
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15a38d.TMPbinary
MD5:0D6446454B8F30B91D30E67B31109113
SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0D6446454B8F30B91D30E67B31109113
SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3104
Shipping Details.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
1532
Shipping Details.exe
23.21.42.25:443
api.ipify.org
Amazon.com, Inc.
US
malicious
1532
Shipping Details.exe
144.208.71.113:587
mail.gayaceramic.com
InMotion Hosting, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
shared
api.ipify.org
  • 23.21.42.25
  • 54.235.83.248
  • 54.235.182.194
  • 54.225.220.115
  • 50.19.252.36
  • 54.225.169.28
  • 54.243.161.145
  • 174.129.214.20
shared
mail.gayaceramic.com
  • 144.208.71.113
malicious

Threats

PID
Process
Class
Message
1532
Shipping Details.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1532
Shipping Details.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1532
Shipping Details.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
1532
Shipping Details.exe
A Network Trojan was detected
SPYWARE [PTsecurity] AgentTesla Exfiltration
1 ETPRO signatures available at the full report
Process
Message
Shipping Details.exe
dewfew few fewfew we off
Shipping Details.exe
fewfew fewf ewfewfewf off
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Shipping Details.ace