File name: | fgff.exe |
Full analysis: | https://app.any.run/tasks/d73e63ee-01b8-4148-9fdc-32aa4728c5cb |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 11, 2019, 17:23:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D480BB05BD44BE84AB85532CE07C45B1 |
SHA1: | FEEEB5DB99F5216978817160CBF109485905780B |
SHA256: | 814398C752DEDA340C2B015AB64F844EA354BE45F268994B18DBDDC287EA24A4 |
SSDEEP: | 12288:bNZRcZKCpmCyr8J8J46Iiegd9UodldJllp/+hiBrND3F/yJK:HSRsCs8JbGfdXldvAi1b/f |
.exe | | | Win32 EXE PECompact compressed (generic) (52.3) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (17.8) |
.scr | | | Windows screen saver (16.4) |
.exe | | | Win32 Executable (generic) (5.6) |
.exe | | | Win16/32 Executable Delphi generic (2.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x5baf0 |
UninitializedDataSize: | - |
InitializedDataSize: | 352256 |
CodeSize: | 371712 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:09 07:41:59+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jun-1992 05:41:59 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 09-Jun-1992 05:41:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x0005AB38 | 0x0005AC00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.50777 |
DATA | 0x0005C000 | 0x000099C4 | 0x00009A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.16404 |
BSS | 0x00066000 | 0x00000F21 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00067000 | 0x000020C0 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.90694 |
.tls | 0x0006A000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0006B000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.20692 |
.reloc | 0x0006C000 | 0x0000700C | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.61351 |
.rsrc | 0x00074000 | 0x00042EE8 | 0x00043000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.31149 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.4909 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 2.80231 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
1000 | 5.15079 | 156 | Latin 1 / Western European | English - United States | RT_DLGINCLUDE |
1048 | 6.5056 | 1767 | Latin 1 / Western European | English - United States | RT_BITMAP |
1049 | 7.58087 | 1767 | Latin 1 / Western European | English - United States | RT_BITMAP |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
oleaut32.dll |
user32.dll |
version.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3248 | "C:\Users\admin\AppData\Local\Temp\fgff.exe" | C:\Users\admin\AppData\Local\Temp\fgff.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2900 | "C:\Users\admin\AppData\Local\Temp\fgff.exe" | C:\Users\admin\AppData\Local\Temp\fgff.exe | fgff.exe | |
User: admin Integrity Level: MEDIUM | ||||
2404 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | fgff.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3316 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | fgff.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3860 | "C:\Users\admin\AppData\Local\Temp\fgff.exe" | C:\Users\admin\AppData\Local\Temp\fgff.exe | — | eventvwr.exe |
User: admin Integrity Level: HIGH | ||||
2632 | REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | fgff.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2900 | fgff.exe | C:\Users\admin\AppData\Local\Temp\636984663018725000_a9906002-e2e9-455b-bbde-763b4f7b7437.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2900 | fgff.exe | C:\Users\admin\AppData\Local\Temp\temp.tmp | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2900 | fgff.exe | GET | 200 | 52.206.161.133:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2900 | fgff.exe | 52.206.161.133:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
2900 | fgff.exe | 198.187.29.188:587 | mail.cjcurrent.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
mail.cjcurrent.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2900 | fgff.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2900 | fgff.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2900 | fgff.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |