File name: | New Text Document.bin.exe |
Full analysis: | https://app.any.run/tasks/75ed53aa-a3fc-4c47-aafe-39877eb1e7c8 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | May 26, 2024, 02:35:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0B0D247AA1F24C2F5867B3BF29F69450 |
SHA1: | 48DE9F34226FD7F637E2379365BE035AF5C0DF1A |
SHA256: | A6E7292E734C3A15CFA654BBA8DEA72A2F55F1C24CF6BBDC2FD7E63887E9315A |
SSDEEP: | 12288:dcgCzNHJj96xfKJStJkRm3bYXob0AnmFMcaGQxkZVVVVVVVVVAtVVVUvqGV:UQKgLIQmFuGQxklvqO |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x21d50 |
UninitializedDataSize: | - |
InitializedDataSize: | 119296 |
CodeSize: | 214528 |
LinkerVersion: | 14.33 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2023:10:03 07:51:19+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3976 | "C:\Users\admin\Desktop\New Text Document.bin.exe" | C:\Users\admin\Desktop\New Text Document.bin.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2032 | "C:\Users\admin\Desktop\New Text Document.exe" | C:\Users\admin\Desktop\New Text Document.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 Modules
| |||||||||||||||
2304 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
308 | "C:\Users\admin\Desktop\a\STHealthUp.exe" | C:\Users\admin\Desktop\a\STHealthUp.exe | — | New Text Document.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: STHealthUp Version: 1.0.0.0 Modules
| |||||||||||||||
1620 | "C:\Users\admin\Desktop\a\STHealthClient.exe" | C:\Users\admin\Desktop\a\STHealthClient.exe | New Text Document.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: STHealthClient Version: 1.0.0.0 Modules
| |||||||||||||||
1844 | "C:\Users\admin\Desktop\a\GGWS_UPLOAD.exe" | C:\Users\admin\Desktop\a\GGWS_UPLOAD.exe | — | New Text Document.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: GGWS_UPLOAD Version: 1.0.0.0 Modules
| |||||||||||||||
2240 | "C:\Users\admin\Desktop\a\MyCheckBack.exe" | C:\Users\admin\Desktop\a\MyCheckBack.exe | — | New Text Document.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: MyCheckBack Version: 1.0.0.0 Modules
| |||||||||||||||
2368 | "C:\Users\admin\Desktop\a\go.exe" | C:\Users\admin\Desktop\a\go.exe | — | New Text Document.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2256 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account | C:\Program Files\Microsoft\Edge\Application\msedge.exe | go.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 4294967295 Version: 109.0.1518.115 Modules
| |||||||||||||||
736 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | go.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
|
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry |
Operation: | delete value | Name: | AddToFavoritesInitialSelection |
Value: | |||
(PID) Process: | (3976) New Text Document.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry |
Operation: | delete value | Name: | AddToFeedsInitialSelection |
Value: | |||
(PID) Process: | (2032) New Text Document.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\New Text Document_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
824 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat | — | |
MD5:— | SHA256:— | |||
860 | msedge.exe | — | ||
MD5:— | SHA256:— | |||
2256 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF115bc9.TMP | — | |
MD5:— | SHA256:— | |||
2256 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
2032 | New Text Document.exe | C:\Users\admin\Desktop\a\STHealthUp.exe | executable | |
MD5:E78473BCA17B8E1E7353570719B5AD0C | SHA256:F81DE3B76D2E7F5166C6029CBD9918DCC6C8649BB0D9F869A76E141B3ABCA791 | |||
2032 | New Text Document.exe | C:\Users\admin\Desktop\a\beacon.exe | executable | |
MD5:927EE11071594552182A02D7B0B971FA | SHA256:A82983039FD8A63E3AC15D731AF598519AEDCDFEDAD67C793699F96CF4510ECF | |||
3976 | New Text Document.bin.exe | C:\Users\admin\Desktop\Пароли Chrome.csv | csv | |
MD5:64F50AFB35DD16EE46F187015CEE84CE | SHA256:C2D389870DE77426A31A8C478E0FDDCBBEA7A3733B453806317914E6F946EA91 | |||
2256 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF115bf8.TMP | — | |
MD5:— | SHA256:— | |||
2032 | New Text Document.exe | C:\Users\admin\Desktop\a\GGWS_UPLOAD.exe | executable | |
MD5:CBAA1A61C93704F1540E48A8DD9BAC14 | SHA256:44C5191F1061CC9340498B5841AC6B3E2488CA5B5E5E8A812687BBF864125A61 | |||
2032 | New Text Document.exe | C:\Users\admin\Desktop\a\MyCheckBack.exe | executable | |
MD5:58D9DA67F31BE50170DADD4FF9A837AD | SHA256:AB644D098073465A00E4CF0A550E9D9EAB99AB84D0876FA490A7CF79B46384E0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1620 | STHealthClient.exe | GET | 200 | 47.104.173.216:8081 | http://47.104.173.216:8081/server.txt | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 47.104.173.216:8081 | http://47.104.173.216:8081/STHealthClient.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 47.104.173.216:8081 | http://47.104.173.216:8081/MyCheckBack.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 147.45.47.102:57893 | http://147.45.47.102:57893/cost/go.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 114.132.120.166:8080 | http://114.132.120.166:8080/beacon.exe | unknown | — | — | unknown |
1620 | STHealthClient.exe | GET | 200 | 47.104.173.216:8081 | http://47.104.173.216:8081/STHealthUpdate.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 5.42.66.47:80 | http://5.42.66.47/files/time2time.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 47.104.173.216:8081 | http://47.104.173.216:8081/GGWS_UPLOAD.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 158.160.165.129:80 | http://okkolus.com/downloads/toolspub1.exe | unknown | — | — | unknown |
2032 | New Text Document.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f2c84c6e21cb662 | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2032 | New Text Document.exe | 151.101.130.49:443 | urlhaus.abuse.ch | FASTLY | US | unknown |
2032 | New Text Document.exe | 141.8.192.6:80 | a0984086.xsph.ru | Sprinthost.ru LLC | RU | unknown |
2032 | New Text Document.exe | 47.104.173.216:8081 | — | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
1620 | STHealthClient.exe | 47.104.173.216:8081 | — | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
2032 | New Text Document.exe | 114.132.120.166:8080 | — | Shenzhen Tencent Computer Systems Company Limited | CN | unknown |
2032 | New Text Document.exe | 147.45.47.102:57893 | — | OOO FREEnet Group | RU | unknown |
Domain | IP | Reputation |
---|---|---|
urlhaus.abuse.ch |
| whitelisted |
a0984086.xsph.ru |
| unknown |
transfer.adttemp.com.br |
| unknown |
config.edge.skype.com |
| whitelisted |
www.youtube.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
accounts.google.com |
| shared |
www.facebook.com |
| whitelisted |
consent.youtube.com |
| whitelisted |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1088 | svchost.exe | Misc activity | ET INFO Observed DNS Query to xsph .ru Domain |
2032 | New Text Document.exe | A Network Trojan was detected | ET MALWARE Single char EXE direct download likely trojan (multiple families) |
2032 | New Text Document.exe | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
2032 | New Text Document.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2032 | New Text Document.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |