File name: | Shipping Details.ace |
Full analysis: | https://app.any.run/tasks/d98cebf7-23e7-47e1-abe4-875d4b532fe7 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | November 30, 2020, 00:41:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | 11E88A20552BC318E875F60D01E1A2F0 |
SHA1: | E81FD99B743EF8FA8E0428DBB4AE917BFE51C119 |
SHA256: | 754A3E830B7E83E3E29D1C0DC83A7365089B408F6E6A3381D66FBFB8D4EEE2D7 |
SSDEEP: | 49152:yJD0ZqRsiO42/E8kZL66vvGA4F9UiI8bkgqqj74oC5vS/Kmat:MD0eON/Eb26vvyF9xI8bkgqqj7NC5uat |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2532 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Shipping Details.ace" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3104 | "C:\Users\admin\Desktop\Shipping Details.exe" | C:\Users\admin\Desktop\Shipping Details.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
2660 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Shipping Details.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2952 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Shipping Details.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1692 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe" -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Shipping Details.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2452 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\Desktop\Shipping Details.exe" -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Shipping Details.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1532 | "C:\Users\admin\Desktop\Shipping Details.exe" | C:\Users\admin\Desktop\Shipping Details.exe | Shipping Details.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2532.23091\Shipping Details.exe | — | |
MD5:— | SHA256:— | |||
2660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XDKINBJC9FWE2CISEGC6.temp | — | |
MD5:— | SHA256:— | |||
2952 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAIMR4WEZ9ZHXLCXYZOL.temp | — | |
MD5:— | SHA256:— | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2E27ACK8GYYG7EOZWHV3.temp | — | |
MD5:— | SHA256:— | |||
2452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBU5K7TJIFGW4GVF71A2.temp | — | |
MD5:— | SHA256:— | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15a37d.TMP | binary | |
MD5:0D6446454B8F30B91D30E67B31109113 | SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0D6446454B8F30B91D30E67B31109113 | SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D | |||
3104 | Shipping Details.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Details.exe | executable | |
MD5:CC8EF813FB4C4327BE560B7D93477255 | SHA256:9D7CA9F4392F37E6985E5E215769CA04E656DEE089E41192ACA270E0829915CD | |||
2452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15a38d.TMP | binary | |
MD5:0D6446454B8F30B91D30E67B31109113 | SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D | |||
2452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0D6446454B8F30B91D30E67B31109113 | SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3104 | Shipping Details.exe | 104.23.99.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
1532 | Shipping Details.exe | 23.21.42.25:443 | api.ipify.org | Amazon.com, Inc. | US | malicious |
1532 | Shipping Details.exe | 144.208.71.113:587 | mail.gayaceramic.com | InMotion Hosting, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
api.ipify.org |
| shared |
mail.gayaceramic.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1532 | Shipping Details.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
1532 | Shipping Details.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
1532 | Shipping Details.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
1532 | Shipping Details.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
Process | Message |
---|---|
Shipping Details.exe | dewfew few fewfew we off
|
Shipping Details.exe | fewfew fewf ewfewfewf off
|