URL: | https://5.252.192.117 |
Full analysis: | https://app.any.run/tasks/7cf07e16-e567-4f0e-a7d4-072855752acf |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 18, 2019, 08:13:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | FDCC64B0B7BB5191D4AEB6F3274CE2BA |
SHA1: | CC6C961DBF3CF22E450B5C4876D71B5F0AEFEDF5 |
SHA256: | 955B3BFCC7F8CEE1650CA8EE1B95CB7BDC642D93F9EF78992E990D881F6C4EDB |
SSDEEP: | 3:N80XQrS:20XQrS |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3712 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3712 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2512 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cjihe[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cjihe[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM | ||||
4052 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | cjihe[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2168 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\file[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\file[1].exe | iexplore.exe | |
User: admin Company: philandro Software GmbH Integrity Level: MEDIUM Description: AnyDesk Version: 702.827.826.899 | ||||
2136 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\jss[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\jss[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM | ||||
2444 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | jss[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 4294967295 Version: 4.7.3062.0 built by: NET472REL1 | ||||
2344 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\j[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\j[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3752 | "schtasks.exe" /query | C:\Windows\system32\schtasks.exe | — | j[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3788 | "schtasks.exe" /create /sc MINUTE /tn startupname /MO 1 /tr C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\j[1].exe | C:\Windows\system32\schtasks.exe | — | j[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3712 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3712 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:38FF3E88F70FA4E6608AD9BF08440B65 | SHA256:A26B5B62CCA25DD5102722B44E9EA49AECD840449E96C3248B8038C3C5937B17 | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:5B62C13D97D3E9A8A72D46CA5136DCAB | SHA256:4F053C5055E702BB748E9931D4931CC3474C241F98C488FD3D9F49D2B0DDB238 | |||
3712 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071820190719\index.dat | dat | |
MD5:E47EB49A33A4C09A21414B9FE31D632A | SHA256:9583A07C52EF6A84A4727E3E44543298E038FBF7FA9857CF306A3FF729B2EC5A | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\danmaxexpress_com[1].txt | — | |
MD5:— | SHA256:— | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071820190719\index.dat | dat | |
MD5:2505EE2F17C0650CBA51AEFAC4986D38 | SHA256:54F05D2E6422D6B4257A3091F040D50BB4842CE41AF721CCDA79093A1B94B85C | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\defaultwebpage[1].htm | html | |
MD5:01F74912A509F2C5A85764E013CF5804 | SHA256:33976549F2C48289F6E8D355BA34D0A44017573370543FC54CF4243B6C221D78 | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\kk[1].txt | — | |
MD5:— | SHA256:— | |||
3712 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].png | image | |
MD5:9FB559A691078558E77D6848202F6541 | SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3496 | iexplore.exe | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/kk/cjihe.exe | US | executable | 518 Kb | malicious |
3496 | iexplore.exe | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/ssl/ | US | html | 1.46 Kb | malicious |
3496 | iexplore.exe | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/ | US | html | 1.28 Kb | malicious |
3496 | iexplore.exe | GET | 200 | 5.252.192.117:80 | http://5.252.192.117/img-sys/powered_by_cpanel.svg | unknown | image | 5.49 Kb | suspicious |
3496 | iexplore.exe | GET | 200 | 5.252.192.117:80 | http://5.252.192.117/img-sys/server_moved.png | unknown | image | 3.25 Kb | suspicious |
3712 | iexplore.exe | GET | 404 | 108.170.57.54:80 | http://danmaxexpress.com/favicon.ico | US | html | 328 b | malicious |
3496 | iexplore.exe | GET | 200 | 5.252.192.117:80 | http://5.252.192.117/cgi-sys/defaultwebpage.cgi | unknown | html | 6.75 Kb | suspicious |
3496 | iexplore.exe | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/ssl/j.exe | US | executable | 386 Kb | malicious |
3496 | iexplore.exe | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/kk/jss.exe | US | executable | 543 Kb | malicious |
3712 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3712 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4052 | RegAsm.exe | 213.180.193.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
932 | vbc.exe | 185.247.228.189:7535 | princedaniels.duckdns.org | — | — | malicious |
3712 | iexplore.exe | 5.252.192.117:80 | — | — | — | suspicious |
3496 | iexplore.exe | 5.252.192.117:443 | — | — | — | suspicious |
4072 | vbc.exe | 185.217.1.186:8320 | faxjohn01.dyn.ddnss.de | Icme Limited | SE | malicious |
3496 | iexplore.exe | 5.252.192.117:80 | — | — | — | suspicious |
3712 | iexplore.exe | 108.170.57.54:80 | danmaxexpress.com | SECURED SERVERS LLC | US | suspicious |
3496 | iexplore.exe | 108.170.57.54:80 | danmaxexpress.com | SECURED SERVERS LLC | US | suspicious |
4044 | remcos.exe | 185.247.228.253:1998 | — | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
danmaxexpress.com |
| malicious |
faxjohn01.dyn.ddnss.de |
| malicious |
princedaniels.duckdns.org |
| malicious |
smtp.yandex.com |
| shared |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3496 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3496 | iexplore.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
932 | vbc.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
932 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |