File name:

94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip

Full analysis: https://app.any.run/tasks/3e1cfe60-9e8c-4a23-8e4f-d35821e78931
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: December 06, 2022, 02:11:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
agenttesla
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

0965A8C10DB6895379500F49B579D8F8

SHA1:

3B59D10F6ADCD7ECE75020F4F7B122F0733C4ADD

SHA256:

A7BFF8EE9111D86F4778278B759F3E4CAF601468894CB95A6C4EEA326C63EB1C

SSDEEP:

12288:vW0DoAUcEjyygF9hFGv1ICpyPO8331knYNFyUy7L6I8FhhFZoh8+it86rYCSJuJW:0cEh6gzpy9SYNP2L6I87ZzUXJJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe (PID: 560)
      • 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe (PID: 2372)
    • AGENTTESLA detected by memory dumps

      • 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe (PID: 2372)
  • SUSPICIOUS

    • Application launched itself

      • 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe (PID: 560)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe no specs 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe no specs schtasks.exe no specs #AGENTTESLA 94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
560"C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeWinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Traffic Light
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3760"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uFkTBnEhieGPL" /XML "C:\Users\admin\AppData\Local\Temp\tmp9E05.tmp"C:\Windows\System32\schtasks.exe94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
2372"{path}"C:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Traffic Light
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shlwapi.dll
Total events
5 893
Read events
5 839
Write events
54
Delete events
0

Modification events

(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1328) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
3
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
237294871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
237294871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\Roaming\DnDcR\DnDcR.exeexecutable
MD5:6F25499AD6B017AD43A77020301727E2
SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB
56094871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\Local\Temp\tmp9E05.tmpxml
MD5:6BE59F248A0E6242E4D95E73D36F1ACD
SHA256:938FA423885C6F73B8E8BC461DB1418AEA991AC84A3A6090F1AC029A840E43DA
1328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1328.21507\94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeexecutable
MD5:6F25499AD6B017AD43A77020301727E2
SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB
56094871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\Roaming\uFkTBnEhieGPL.exeexecutable
MD5:6F25499AD6B017AD43A77020301727E2
SHA256:94871247351C446A6B3611837028785DAE07C0DB7403482F7A604DEA29896AFB
237294871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\Local\Temp\CabC4A8.tmpcompressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
237294871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\Local\Temp\TarC4A9.tmpcat
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009
SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
237294871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:8BB598A2850E1CD54009BC1342A102EF
SHA256:331F526562617855AE80AB5CB9A14D8F96B84BFA1800EEE4C05CBAC7102DF1D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2372
94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3baaeba03cb5c1b6
US
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2372
94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
54.91.59.199:443
api.ipify.org
AMAZON-AES
US
malicious
2372
94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
203.175.9.97:587
mail.biateknos.com
CV. Rumahweb Indonesia
ID
unknown
2372
94871247351c446a6b3611837028785dae07c0db7403482f7a604dea29896afb.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 54.91.59.199
  • 52.20.78.240
  • 3.232.242.170
  • 3.220.57.224
shared
mail.biateknos.com
  • 203.175.9.97
unknown
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted

Threats

No threats detected
No debug info