File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/ca32f04c-9d6b-4927-9056-2e836b0a7c1b |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 18, 2019, 14:39:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 249A3CA445648A31AFD863DBB77268B2 |
SHA1: | 7067ACD776956883CB6EBAE7613131DB001B99BA |
SHA256: | B2E23269DCA9A5CF211A2B295E18BDD89ACAAF85776A1689DEE89164E92A5720 |
SSDEEP: | 48:Zv3UIT3O5s9fzkwMrfBNmtsgfxwj6ggHaSCSGN4rWDau1aURvAPF:JBT3K6DmBNSsgejXg6pJaUBAPF |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | baacfbe10e93fed1185e616701bab39f036755f2e4bf5f5c54dea62415d6b156.bin |
---|---|
ZipUncompressedSize: | 3906 |
ZipCompressedSize: | 2079 |
ZipCRC: | 0x40283ec3 |
ZipModifyDate: | 2019:07:18 14:39:03 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2848 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayyy.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2904 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3524 | "C:\Users\admin\AppData\Roaming\rectorfile.exe" | C:\Users\admin\AppData\Roaming\rectorfile.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3420 | "C:\Users\admin\AppData\Roaming\rectorfile.exe" | C:\Users\admin\AppData\Roaming\rectorfile.exe | rectorfile.exe | |
User: admin Integrity Level: MEDIUM | ||||
3940 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 | ||||
3492 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe | — | opera.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3988 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe | rector.exe | |
User: admin Integrity Level: MEDIUM Exit code: 4294967295 | ||||
2936 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe | — | opera.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2928 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\rector.exe | rector.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2848.29998\baacfbe10e93fed1185e616701bab39f036755f2e4bf5f5c54dea62415d6b156.bin | — | |
MD5:— | SHA256:— | |||
1952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR79D0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3940 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr17A.tmp | — | |
MD5:— | SHA256:— | |||
3940 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr1AA.tmp | — | |
MD5:— | SHA256:— | |||
3940 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4QHWN6TLFPF4YIFL75WU.temp | — | |
MD5:— | SHA256:— | |||
3940 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr9485.tmp | — | |
MD5:— | SHA256:— | |||
3940 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprA05D.tmp | — | |
MD5:— | SHA256:— | |||
1952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E63715D5B079BA02984A7F94E8F02AAF | SHA256:8474BE584AD45C2EE0A81EB74123EEAAA10C7CE70FBAC1A72F7146B0881E5424 | |||
1952 | WINWORD.EXE | C:\Users\admin\Desktop\~$ayyy.doc | pgc | |
MD5:7998F3900B8258E2C4D5DD86224D07AE | SHA256:BCBBD4CF63C2F9B55CFFD9C2CEFC6E8DB0C55BD88AF170E5EBFF0AAACBDC01E3 | |||
1952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ayyy.doc.LNK | lnk | |
MD5:E2EE6F97848E8F3170BF06690DED043E | SHA256:82C51E3D8AD9299137F7244AB8F72738A2E88756A8E27776EF4D1A5538C150F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3420 | rectorfile.exe | GET | 200 | 34.233.102.38:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
3940 | opera.exe | GET | 200 | 164.160.128.117:80 | http://mrjbiz.top/rector/rector.exe | NG | executable | 1.04 Mb | malicious |
3940 | opera.exe | GET | — | 164.160.128.117:80 | http://mrjbiz.top/ugpounds/ | NG | — | — | malicious |
3940 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
3940 | opera.exe | GET | 200 | 164.160.128.117:80 | http://mrjbiz.top/ | NG | html | 2.49 Kb | malicious |
3940 | opera.exe | GET | 301 | 164.160.128.117:80 | http://mrjbiz.top/rector | NG | html | 233 b | malicious |
3940 | opera.exe | GET | 200 | 172.217.16.142:80 | http://clients1.google.com/complete/search?q=mrjbiz&client=opera-suggest-omnibox&hl=de | US | text | 33 b | whitelisted |
3940 | opera.exe | GET | 403 | 164.160.128.117:80 | http://mrjbiz.top/mrj/ | NG | html | 332 b | malicious |
3940 | opera.exe | GET | 200 | 164.160.128.117:80 | http://mrjbiz.top/bobbye/ | NG | html | 780 b | malicious |
3940 | opera.exe | GET | 200 | 164.160.128.117:80 | http://mrjbiz.top/peterz/ | NG | html | 780 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3988 | rector.exe | 52.6.79.229:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
2904 | EQNEDT32.EXE | 164.160.128.117:80 | mrjbiz.top | Garanntor-Hosting-AS | NG | malicious |
3940 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3940 | opera.exe | 164.160.128.117:80 | mrjbiz.top | Garanntor-Hosting-AS | NG | malicious |
3420 | rectorfile.exe | 164.160.128.117:587 | mrjbiz.top | Garanntor-Hosting-AS | NG | malicious |
3420 | rectorfile.exe | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3940 | opera.exe | 185.26.182.93:80 | certs.opera.com | Opera Software AS | — | whitelisted |
2928 | rector.exe | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3940 | opera.exe | 172.217.16.142:80 | clients1.google.com | Google Inc. | US | whitelisted |
3988 | rector.exe | 164.160.128.117:587 | mrjbiz.top | Garanntor-Hosting-AS | NG | malicious |
Domain | IP | Reputation |
---|---|---|
mrjbiz.top |
| malicious |
checkip.amazonaws.com |
| shared |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
gh-ws-rhl01.garanntor.net |
| malicious |
clients1.google.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2904 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2904 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2904 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2904 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
3420 | rectorfile.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3420 | rectorfile.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3940 | opera.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3940 | opera.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3940 | opera.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |