File name: | INV-GF76370-7478-465.cab |
Full analysis: | https://app.any.run/tasks/c0271d58-aeee-4a47-9143-bb4ea54ec6aa |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | June 12, 2019, 07:15:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-cab-compressed |
File info: | Microsoft Cabinet archive data, 642111 bytes, 1 file |
MD5: | 80217C27C16ED71C1D9F29B4D456F9F2 |
SHA1: | 88187071E1F8B6F17B093888A03ED574A39BB84F |
SHA256: | 8E69C2CC66803246BC16BBA746B17AFA08AACC37D751857FA8AD0653B08F0771 |
SSDEEP: | 12288:NHk98I+F+JA0lWlpBVZn/VtwUryTK6y6guTudmNEsaJk:NECI+Y0tZfob6d6m+ |
.cab | | | Microsoft Cabinet Archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2148 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\INV-GF76370-7478-465.cab" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1012 | "C:\Users\admin\Desktop\INV-GF76370-7478-465.exe" | C:\Users\admin\Desktop\INV-GF76370-7478-465.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2708 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | INV-GF76370-7478-465.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2148.25433\INV-GF76370-7478-465.exe | executable | |
MD5:EB7117AF249DBF7556A7DF74984CCF6A | SHA256:B6DCFFB6187476B0BFCC3BEA59B56155FF0D0E02FD8ACA6AE1D2D9BAA02B1031 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2708 | RegAsm.exe | GET | 200 | 52.202.139.131:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2708 | RegAsm.exe | 198.54.115.194:26 | mail.tendertradeforex.co.uk | Namecheap, Inc. | US | malicious |
2708 | RegAsm.exe | 52.202.139.131:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
mail.tendertradeforex.co.uk |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2708 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2708 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2708 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |