analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://fxbetaoptions.suntrustworldwide.com/core/file.exe

Full analysis: https://app.any.run/tasks/a1824328-05cf-477c-a05a-f67878acea62
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: July 17, 2019, 06:09:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
keylogger
stealer
agenttesla
evasion
trojan
rat
Indicators:
MD5:

54A9858ED2B5218DF8F9125AA33EF9E5

SHA1:

47CF24FAFE8C6E5C24EEBF908D374ADE881F584B

SHA256:

B5B2492576031DD9D92196EC55AF55E9978BD52D1C6358F7DB77CA638389A9D4

SSDEEP:

3:N1KY6EOqHNAIiKKGKXbz:CYvOupMX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • file[1].exe (PID: 1980)
      • file[1].exe (PID: 2544)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3592)
    • Changes the autorun value in the registry

      • file[1].exe (PID: 2544)
    • AGENTTESLA was detected

      • file[1].exe (PID: 2544)
    • Actions looks like stealing of personal data

      • file[1].exe (PID: 2544)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3592)
      • iexplore.exe (PID: 3736)
      • file[1].exe (PID: 2544)
    • Cleans NTFS data-stream (Zone Identifier)

      • file[1].exe (PID: 2544)
    • Application launched itself

      • file[1].exe (PID: 1980)
    • Creates files in the user directory

      • file[1].exe (PID: 2544)
    • Checks for external IP

      • file[1].exe (PID: 2544)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3736)
    • Application launched itself

      • iexplore.exe (PID: 3736)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe file[1].exe no specs #AGENTTESLA file[1].exe

Process information

PID
CMD
Path
Indicators
Parent process
3736"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3592"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3736 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1980"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\file[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\file[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2544"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\file[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\file[1].exe
file[1].exe
User:
admin
Integrity Level:
MEDIUM
Total events
680
Read events
615
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3736iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3736iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3736iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF61552A7B620268AB.TMP
MD5:
SHA256:
3736iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB1E5D0573329963A.TMP
MD5:
SHA256:
3736iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7243666D-A859-11E9-95C0-5254004A04AF}.dat
MD5:
SHA256:
2544file[1].exeC:\Users\admin\AppData\Roaming\MyApp\MyApp.exe\:Zone.Identifier:$DATA
MD5:
SHA256:
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\file[1].exeexecutable
MD5:E8E3B85F7A7320E39FA3B5D118196C5E
SHA256:80E50037AEA0278841C8FE089344704EDAB0BE6D7FE48B5B7C919663F42F39F1
3736iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.datdat
MD5:BE02FDC22C0603A1154BFAEF9D7924BA
SHA256:97D21E3E798CBED6C7E493CD339F702078CCB846FE88823234104ABA37ABDF4A
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:6A50EC2CAFA7362E8533BAB483C4EA71
SHA256:5E71B7F8115A90984BB1C6F88E4D67920EB7A83E85386E4C96D99B5D95CCBD87
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071720190718\index.datdat
MD5:787149C071E35912FD98C668F12E9F24
SHA256:2EEC51A9446A9B938BE64518C7FE79B28A840F3F3D8181E7B091267F472D6FA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
iexplore.exe
GET
200
45.126.209.154:80
http://fxbetaoptions.suntrustworldwide.com/core/file.exe
SG
executable
715 Kb
suspicious
2544
file[1].exe
GET
200
18.211.215.84:80
http://checkip.amazonaws.com/
US
text
14 b
shared
3736
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3736
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2544
file[1].exe
18.211.215.84:80
checkip.amazonaws.com
US
shared
3592
iexplore.exe
45.126.209.154:80
fxbetaoptions.suntrustworldwide.com
Choopa, LLC
SG
suspicious
2544
file[1].exe
95.142.156.18:587
mail.lencraft.com
UK Webhosting Ltd
GB
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fxbetaoptions.suntrustworldwide.com
  • 45.126.209.154
suspicious
mail.lencraft.com
  • 95.142.156.18
  • 95.142.156.28
malicious
checkip.amazonaws.com
  • 18.211.215.84
  • 52.206.161.133
  • 52.202.139.131
  • 34.233.102.38
  • 34.197.157.64
  • 52.6.79.229
shared

Threats

PID
Process
Class
Message
3592
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2544
file[1].exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2544
file[1].exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info