File name: | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip |
Full analysis: | https://app.any.run/tasks/3e1cfe60-9e8c-4a23-8e4f-d35821e78931 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 06, 2022, 02:11:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | 0965A8C10DB6895379500F49B579D8F8 |
SHA1: | 3B59D10F6ADCD7ECE75020F4F7B122F0733C4ADD |
SHA256: | A7BFF8EE9111D86F4778278B759F3E4CAF601468894CB95A6C4EEA326C63EB1C |
SSDEEP: | 12288:vW0DoAUcEjyygF9hFGv1ICpyPO8331knYNFyUy7L6I8FhhFZoh8+it86rYCSJuJW:0cEh6gzpy9SYNP2L6I87ZzUXJJ |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
560 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Traffic Light Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3760 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFkTBnEhieGPL" /XML "C:\Users\admin\AppData\Local\Temp\tmp9E05.tmp" | C:\Windows\System32\schtasks.exe | — | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2372 | "{path}" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Traffic Light Version: 1.0.0.0 Modules
|
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
560 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\Roaming\uFkTBnEhieGPL.exe | executable | |
MD5:6F25499AD6B017AD43A77020301727E2 | SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB | |||
560 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\Local\Temp\tmp9E05.tmp | xml | |
MD5:6BE59F248A0E6242E4D95E73D36F1ACD | SHA256:938FA423885C6F73B8E8BC461DB1418AEA991AC84A3A6090F1AC029A840E43DA | |||
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:8BB598A2850E1CD54009BC1342A102EF | SHA256:331F526562617855AE80AB5CB9A14D8F96B84BFA1800EEE4C05CBAC7102DF1D2 | |||
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\Local\Temp\CabC4A8.tmp | compressed | |
MD5:FC4666CBCA561E864E7FDF883A9E6661 | SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B | |||
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\Roaming\DnDcR\DnDcR.exe | executable | |
MD5:6F25499AD6B017AD43A77020301727E2 | SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB | |||
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\Local\Temp\TarC4A9.tmp | cat | |
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009 | SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD | |||
1328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | executable | |
MD5:6F25499AD6B017AD43A77020301727E2 | SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB | |||
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:FC4666CBCA561E864E7FDF883A9E6661 | SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3baaeba03cb5c1b6 | US | compressed | 61.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | 203.175.9.97:587 | mail.biateknos.com | CV. Rumahweb Indonesia | ID | unknown |
2372 | 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe | 54.91.59.199:443 | api.ipify.org | AMAZON-AES | US | malicious |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
mail.biateknos.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |