URL: | http://maryshoodies.com/hid.exe |
Full analysis: | https://app.any.run/tasks/12985218-c97b-42a1-b63a-afbdd16a3762 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | June 19, 2019, 11:19:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 738246BE47A7BE2D39EA9015B0A456A7 |
SHA1: | 9817963F2EDE041C86E10E3EBDD93C7706694B48 |
SHA256: | 8185C49462710A35A4EB573ABCDBE0EADEFCAAF792B8F19689ACF01DACBB132B |
SSDEEP: | 3:N1KTjKKKC/M9N:CnRKCE9N |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2140 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1140 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Description: VistaTask Exit code: 0 Version: 1.4.8.0 | ||||
3184 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\hid[1].exe | hid[1].exe | |
User: admin Integrity Level: MEDIUM Description: VistaTask Version: 1.4.8.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF395026EF8ACF2C00.TMP | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF33A392F763A625D0.TMP | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{31CC76D7-9284-11E9-A09E-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
2672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPOQ7C21\hid[1].exe | executable | |
MD5:5E12FAC2C65EA9F4B1E79611E3187EBD | SHA256:20B356B1D97FFB9F30F6B9E06C07DD06C0C424FE2D1915E887BC2EC4CB4EF56D | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061920190620\index.dat | dat | |
MD5:47AEEF2015485BDC976AF7AF05E2D9AB | SHA256:4372D2F0C8F408A3EE32C5B0BE82EC2C5F61E76B93F692E7208CAEB42A412935 | |||
2672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061920190620\index.dat | dat | |
MD5:48062DD9BE0076DCE50EE9EAD420FB2E | SHA256:5F5B583745D6CBBD332FC85C9AD0F1EBEB673FEC1DED6ADB5B67F84C56A725B7 | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{31CC76D8-9284-11E9-A09E-5254004A04AF}.dat | binary | |
MD5:048C715766798587C84E96BAB774119F | SHA256:CE1C332F6CF46B1F14AA470C91FA87FB6A16F6C9B87BC0B5AD2BE49B5EE06105 | |||
2672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:84CD9F614E748552F74320697D36F2A9 | SHA256:1B1DE62E3BD9F3E7ACC9F9F4B83F77A2D6C0051E0F09E7240FB15A925BAC6D11 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2672 | iexplore.exe | GET | 200 | 107.180.14.68:80 | http://maryshoodies.com/hid.exe | US | executable | 369 Kb | malicious |
3184 | hid[1].exe | GET | 200 | 52.202.139.131:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
2140 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2140 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3184 | hid[1].exe | 160.153.16.59:587 | newstylesmalta.com | GoDaddy.com, LLC | US | malicious |
2672 | iexplore.exe | 107.180.14.68:80 | maryshoodies.com | GoDaddy.com, LLC | US | malicious |
3184 | hid[1].exe | 52.202.139.131:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
maryshoodies.com |
| malicious |
newstylesmalta.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2672 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2672 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3184 | hid[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3184 | hid[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |