URL: | http://anthrohub.org/.well-known/dickhead.exe |
Full analysis: | https://app.any.run/tasks/201c63f9-eff6-41f9-82a6-6adbab6b5e37 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 06, 2018, 17:08:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 0756EB1BEA92F26BBAD59E952C435E66 |
SHA1: | 70F8AD3BB77E558BCCB5F5C4919A1316D8198637 |
SHA256: | 8189CF38C36AC32B3E1D9A5391C3EA4DBD96E1843827EE4F360DEAC9C919EFDB |
SSDEEP: | 3:N1KflFWQHLWLzTLKH8NbNn:CtFWQCLzTUcZ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3204 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\dickhead[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\dickhead[1].exe | iexplore.exe | |
User: admin Company: Mandis Companies Inc. Integrity Level: MEDIUM Description: Dynamic Module Exit code: 0 Version: 13.11.7.3 | ||||
3120 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\dickhead[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\dickhead[1].exe | dickhead[1].exe | |
User: admin Company: Mandis Companies Inc. Integrity Level: MEDIUM Description: Dynamic Module Version: 13.11.7.3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFCF1C54B46AC947AF.TMP | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF882AE274856F59D8.TMP | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9E2BC8D1-F979-11E8-834A-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3204 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:C1A4B5653999D2D9DB1A90A4CE2E428C | SHA256:B249D93222F5D4975839E81A2C735891A03ADEC871FB5CD79B34B61551152E26 | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9E2BC8D2-F979-11E8-834A-5254004A04AF}.dat | binary | |
MD5:30C2296C6A60CC45814D8D6F73F69E22 | SHA256:6A561FE89E9BE8A98938B5FF09ABB0DC51B0643168BDB83073D6BE2EAA38FC13 | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\dickhead[1].exe:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\dickhead[1].exe:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
3204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.dat | dat | |
MD5:7392809A8B6B167C02E23A89AE3371A6 | SHA256:44ED81F914617AD86231E28F4E6BD6A2ED955D88C12CB7472D42BF039F480247 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3204 | iexplore.exe | GET | 200 | 192.185.16.105:80 | http://anthrohub.org/.well-known/dickhead.exe | US | executable | 641 Kb | malicious |
3120 | dickhead[1].exe | GET | 200 | 216.146.43.70:80 | http://checkip.dyndns.org/ | US | html | 107 b | shared |
2948 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3204 | iexplore.exe | 192.185.16.105:80 | anthrohub.org | CyrusOne LLC | US | malicious |
3120 | dickhead[1].exe | 216.146.43.70:80 | checkip.dyndns.org | Dynamic Network Services, Inc. | US | shared |
3120 | dickhead[1].exe | 208.91.198.143:587 | smtp.cilizltd.com | PDR | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
anthrohub.org |
| malicious |
checkip.dyndns.org |
| shared |
smtp.cilizltd.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3204 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
3120 | dickhead[1].exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
3120 | dickhead[1].exe | Potentially Bad Traffic | ET POLICY DynDNS CheckIp External IP Address Server Response |
3120 | dickhead[1].exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3120 | dickhead[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla Exfiltration via SMTP |
3120 | dickhead[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla Exfiltration via SMTP |
Process | Message |
---|---|
dickhead[1].exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dickhead[1].exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dickhead[1].exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dickhead[1].exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dickhead[1].exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dickhead[1].exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dickhead[1].exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dickhead[1].exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|