analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TT Copy 2019.exe

Full analysis: https://app.any.run/tasks/f1b804f8-126a-4660-992d-b389a06de55b
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: March 22, 2019, 01:35:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F536B8EB63DB40451303E4AF40059C98

SHA1:

F4D4871A75110ACCF3722C9B47325D361FC8A703

SHA256:

ABA097F9D954D01E0E4017809FF7741D5265AC506D7F984020D9474F2B6946CF

SSDEEP:

12288:DV56TyAzZjwvTb+yUj1kl754Taiufe15p:DVIDZjMTb+H1kXQumB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AGENTTESLA was detected

      • TT Copy 2019.exe (PID: 3080)
    • Actions looks like stealing of personal data

      • TT Copy 2019.exe (PID: 3080)
  • SUSPICIOUS

    • Connects to unusual port

      • TT Copy 2019.exe (PID: 3080)
    • Checks for external IP

      • TT Copy 2019.exe (PID: 3080)
    • Application launched itself

      • TT Copy 2019.exe (PID: 3648)
    • Loads DLL from Mozilla Firefox

      • TT Copy 2019.exe (PID: 3080)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2003:03:20 07:52:56+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 958464
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x144c
OSVersion: 4
ImageVersion: 4.3
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.3.0.5
ProductVersionNumber: 4.3.0.5
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: QUERCIVOROUS6
CompanyName: Investigators
FileDescription: Tabulago1
ProductName: FINCK1
FileVersion: 4.03.0005
ProductVersion: 4.03.0005
InternalName: spiranthes10
OriginalFileName: spiranthes10.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2003 06:52:56
Detected languages:
  • English - United States
Comments: QUERCIVOROUS6
CompanyName: Investigators
FileDescription: Tabulago1
ProductName: FINCK1
FileVersion: 4.03.0005
ProductVersion: 4.03.0005
InternalName: spiranthes10
OriginalFilename: spiranthes10.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 20-Mar-2003 06:52:56
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000E9198
0x000EA000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.25914
.data
0x000EB000
0x00000AB4
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x000EC000
0x000038B4
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.83499

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.34678
684
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
6.48758
10712
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
6.13738
1864
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
5.29775
872
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tt copy 2019.exe no specs #AGENTTESLA tt copy 2019.exe

Process information

PID
CMD
Path
Indicators
Parent process
3648"C:\Users\admin\AppData\Local\Temp\TT Copy 2019.exe" C:\Users\admin\AppData\Local\Temp\TT Copy 2019.exeexplorer.exe
User:
admin
Company:
Investigators
Integrity Level:
MEDIUM
Description:
Tabulago1
Exit code:
0
Version:
4.03.0005
3080C:\Users\admin\AppData\Local\Temp\TT Copy 2019.exe" C:\Users\admin\AppData\Local\Temp\TT Copy 2019.exe
TT Copy 2019.exe
User:
admin
Company:
Investigators
Integrity Level:
MEDIUM
Description:
Tabulago1
Version:
4.03.0005
Total events
63
Read events
51
Write events
12
Delete events
0

Modification events

(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3080) TT Copy 2019.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TT Copy 2019_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3648TT Copy 2019.exeC:\Users\admin\AppData\Local\Temp\~DFDA4D9DC5E79D701F.TMPbinary
MD5:A21F1ABFAC41196121BFE96F96408167
SHA256:B5A42BDDBC197762651D1481A28221554517744E073AF60D4E0FB97A9CCA6B5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3080
TT Copy 2019.exe
GET
200
34.196.82.108:80
http://checkip.amazonaws.com/
US
text
16 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3080
TT Copy 2019.exe
34.196.82.108:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3080
TT Copy 2019.exe
198.54.116.236:26
mail.alna-hdaz.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
mail.alna-hdaz.com
  • 198.54.116.236
malicious
checkip.amazonaws.com
  • 34.196.82.108
  • 18.233.42.138
  • 52.200.125.74
  • 52.0.208.170
  • 34.233.102.38
  • 52.202.139.131
shared

Threats

PID
Process
Class
Message
3080
TT Copy 2019.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3080
TT Copy 2019.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info