File name:	Transfer Copy swift.r00
Full analysis:	https://app.any.run/tasks/da7c6806-e098-49ae-a4af-d07aa6c6bda1
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 11, 2019, 05:26:27
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan loader keylogger agenttesla evasion rat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	AD695F5EE0D5767DA3305522D819B4F1
SHA1:	44D8A0FDBF99CE48F0C7B8A6CB4B0C0187557D98
SHA256:	C173764E5B509CF3D53503CD58DD35AEE0D74A82DA1DE4C1252667A263638265
SSDEEP:	6:udVySsj9TA62Y3/8fRhKmyMwNc+SNoE5UqUZQwfrFbKKAXV5SMdGibl:oVySsjVN3/8fRhKmbgq0FbKKAXVMMd9

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Transfer Copy swift.r00.rar
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\acppage.dll,-6002
Value: Windows Batch File
(PID) Process:	(2852) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000

PID	Process	Filename		Type
2852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2852.11315\Transfer Copy swift.Bat		—
		MD5:—	SHA256:—
2144	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGFSL2EN1WA9XR26QXHH.temp		—
		MD5:—	SHA256:—
2144	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF15b3d8.TMP		binary
		MD5:—	SHA256:—
2144	powershell.exe	C:\Users\admin\AppData\Local\Temp\Test.exe		executable
		MD5:—	SHA256:—
2144	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:—	SHA256:—
2860	Test.exe	C:\Users\admin\AppData\Local\Temp\637037800386668750_3aca655d-a762-4f73-ac51-662fee102639.db		sqlite
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2144	powershell.exe	GET	200	1.217.125.148:8000	http://web.riderit.com:8000/ajp/public/5a2eec141864de49a45bb29ac52dbe6b.php	KR	executable	333 Kb	malicious
2860	Test.exe	GET	200	18.205.71.63:80	http://checkip.amazonaws.com/	US	text	15 b	malicious

Domain	IP	Reputation
teredo.ipv6.microsoft.com	—	whitelisted
web.riderit.com	1.217.125.148	malicious
checkip.amazonaws.com	18.205.71.63 52.44.169.135 52.55.255.113 34.196.181.158 18.214.132.216 3.224.145.145	malicious
mail.trezaexim.com	216.55.169.138	malicious

PID	Process	Class	Message
2144	powershell.exe	A Network Trojan was detected	AV TROJAN TrojanDownloader.Agent Second Stage Download
2144	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2144	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2144	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2860	Test.exe	A Network Trojan was detected	MALWARE [PTsecurity] AgentTesla IP Check
2860	Test.exe	A Network Trojan was detected	AV TROJAN Win.Keylogger.AgentTesla variant outbound SMTP connection
2860	Test.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP

General Info

Transfer Copy swift.r00

AD695F5EE0D5767DA3305522D819B4F1

44D8A0FDBF99CE48F0C7B8A6CB4B0C0187557D98

C173764E5B509CF3D53503CD58DD35AEE0D74A82DA1DE4C1252667A263638265

6:udVySsj9TA62Y3/8fRhKmyMwNc+SNoE5UqUZQwfrFbKKAXV5SMdGibl:oVySsjVN3/8fRhKmbgq0FbKKAXVMMd9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes PowerShell scripts

Application was dropped or rewritten from another process

Downloads executable files from the Internet

AGENTTESLA was detected

Actions looks like stealing of personal data

SUSPICIOUS

Reads the machine GUID from the registry

Creates files in the user directory

Connects to unusual port

Executable content was dropped or overwritten

Checks for external IP

Connects to SMTP port

INFO

Manual execution by user

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings