File name: | 5140955571716096.zip |
Full analysis: | https://app.any.run/tasks/e25f40ee-18c8-42bf-b008-852a7485b8ca |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 13, 2020, 05:19:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 588C1E9F7727708582B996D23AC0C46A |
SHA1: | 7ABA276916EAE024266F2DB87CD8B6AD78B25042 |
SHA256: | 89AB2FB109934256696C54D45ED078B6693A9C06859C27DB4D3D0BF355E4B8BD |
SSDEEP: | 12288:ZrJtHDABhS1ZHbfMD1BNokLS3kKYanuGx0ptIcMlLyQ:ZrDDABhAHrUOkO3kKYa9MAGQ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 976373c12d489dc93d5e7181341f88592fa1fbefc94afb31c736d5216e414717 |
---|---|
ZipUncompressedSize: | 433883 |
ZipCompressedSize: | 434035 |
ZipCRC: | 0xaa7a815e |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3160 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5140955571716096.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3668 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\a.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3008 | "C:\Users\admin\Desktop\Informative Program on.exe" | C:\Users\admin\Desktop\Informative Program on.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: SectorBoot Exit code: 0 Version: 1.0.0.0 | ||||
3196 | "powershell" Get-MpPreference -verbose | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Informative Program on.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | "{path}" | C:\Users\admin\Desktop\Informative Program on.exe | Informative Program on.exe | |
User: admin Integrity Level: HIGH Description: SectorBoot Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2GIH4P8ALXP2JJ7LUM28.temp | — | |
MD5:— | SHA256:— | |||
2800 | Informative Program on.exe | C:\Users\admin\AppData\Roaming\mtpktKu\xkqNT.exe | executable | |
MD5:DA20BB1254886326E8ECC643D5225E53 | SHA256:A42369BFDB64463A53B3E9610BF6775CD44BF3BE38225099AD76E382A76BA3E5 | |||
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF28854a.TMP | binary | |
MD5:17691DBE05169A3F5E1D4F8FED3B59B4 | SHA256:7ECF78E14C72A002593D0576866318632906327947AF38A1764BA7B3D764E0D6 | |||
3668 | WinRAR.exe | C:\Users\admin\Desktop\Informative Program on.exe | executable | |
MD5:DA20BB1254886326E8ECC643D5225E53 | SHA256:A42369BFDB64463A53B3E9610BF6775CD44BF3BE38225099AD76E382A76BA3E5 | |||
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:17691DBE05169A3F5E1D4F8FED3B59B4 | SHA256:7ECF78E14C72A002593D0576866318632906327947AF38A1764BA7B3D764E0D6 | |||
2800 | Informative Program on.exe | C:\Users\admin\AppData\Local\Temp\8c93c1c9-290c-4e82-a5a2-4e3075d8078f | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3160 | WinRAR.exe | C:\Users\admin\Desktop\976373c12d489dc93d5e7181341f88592fa1fbefc94afb31c736d5216e414717 | compressed | |
MD5:771D59121ACEC072D93A712ADA2916C1 | SHA256:976373C12D489DC93D5E7181341F88592FA1FBEFC94AFB31C736D5216E414717 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2800 | Informative Program on.exe | 85.17.28.200:587 | mail.ppe-eg.com | LeaseWeb Netherlands B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
mail.ppe-eg.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2800 | Informative Program on.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |