analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INV-GF76370-7478-465.cab

Full analysis: https://app.any.run/tasks/c0271d58-aeee-4a47-9143-bb4ea54ec6aa
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: June 12, 2019, 07:15:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, 642111 bytes, 1 file
MD5:

80217C27C16ED71C1D9F29B4D456F9F2

SHA1:

88187071E1F8B6F17B093888A03ED574A39BB84F

SHA256:

8E69C2CC66803246BC16BBA746B17AFA08AACC37D751857FA8AD0653B08F0771

SSDEEP:

12288:NHk98I+F+JA0lWlpBVZn/VtwUryTK6y6guTudmNEsaJk:NECI+Y0tZfob6d6m+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • INV-GF76370-7478-465.exe (PID: 1012)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 2708)
    • AGENTTESLA was detected

      • RegAsm.exe (PID: 2708)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2148)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2148)
    • Checks for external IP

      • RegAsm.exe (PID: 2708)
  • INFO

    • Manual execution by user

      • INV-GF76370-7478-465.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe inv-gf76370-7478-465.exe no specs #AGENTTESLA regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\INV-GF76370-7478-465.cab"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1012"C:\Users\admin\Desktop\INV-GF76370-7478-465.exe" C:\Users\admin\Desktop\INV-GF76370-7478-465.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2708"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
INV-GF76370-7478-465.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Total events
387
Read events
352
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2148.25433\INV-GF76370-7478-465.exeexecutable
MD5:EB7117AF249DBF7556A7DF74984CCF6A
SHA256:B6DCFFB6187476B0BFCC3BEA59B56155FF0D0E02FD8ACA6AE1D2D9BAA02B1031
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2708
RegAsm.exe
GET
200
52.202.139.131:80
http://checkip.amazonaws.com/
US
text
16 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2708
RegAsm.exe
198.54.115.194:26
mail.tendertradeforex.co.uk
Namecheap, Inc.
US
malicious
2708
RegAsm.exe
52.202.139.131:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
mail.tendertradeforex.co.uk
  • 198.54.115.194
malicious
checkip.amazonaws.com
  • 52.202.139.131
  • 52.206.161.133
  • 52.6.79.229
  • 18.211.215.84
  • 34.233.102.38
  • 52.200.125.74
shared

Threats

PID
Process
Class
Message
2708
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2708
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2708
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
3 ETPRO signatures available at the full report
No debug info