File name:

Mensajes en cuarentena (2).zip

Full analysis: https://app.any.run/tasks/dfbaac18-6ccc-440f-a57e-f247d884f5e5
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: January 10, 2025, 21:18:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-unc
arch-exec
evasion
stealer
agenttesla
ftp
exfiltration
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

E59D7DA9EA3112DF8D097A3DC75CBBA5

SHA1:

ADB0F354A75BE0ABAC24A2E5E7EEF399EA1DB71B

SHA256:

D7F7DF47472593076077B7052725B8440A32637BC54FB8AFAB9FE3868C50A443

SSDEEP:

24576:WXoPVvDWrFUL15HhiNkBZhy2w+eL6THb4FgCM4FHs8URzVgz2:WXoPVvDWrFUL15HhiNaZhy2w+eL6THbB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • AGENTTESLA has been detected (SURICATA)

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Connects to the CnC server

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • AGENTTESLA has been detected (YARA)

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 7152)
    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 7152)
    • Checks for external IP

      • svchost.exe (PID: 2192)
      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Connects to FTP

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Connects to unusual port

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
  • INFO

    • Disables trace logs

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 7136)
    • The sample compiled with german language support

      • OUTLOOK.EXE (PID: 6784)
      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 5964)
      • WinRAR.exe (PID: 7152)
    • Reads the machine GUID from the registry

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • RegAsm.exe (PID: 1760)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • RegAsm.exe (PID: 7136)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 5964)
    • Checks proxy server information

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 1760)
    • Reads the computer name

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 432)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
      • RegAsm.exe (PID: 6684)
    • Checks supported languages

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • RegAsm.exe (PID: 1760)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • RegAsm.exe (PID: 432)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • RegAsm.exe (PID: 7136)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
      • RegAsm.exe (PID: 6684)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 5564)
      • OUTLOOK.EXE (PID: 6784)
      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 7152)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6556)
    • Manual execution by a user

      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • Taskmgr.exe (PID: 5604)
      • Taskmgr.exe (PID: 1596)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • OUTLOOK.EXE (PID: 1140)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • WinRAR.exe (PID: 7152)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 45
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2025:01:10 20:57:50
ZipCRC: 0x6f56136e
ZipCompressedSize: 4294967295
ZipUncompressedSize: 4294967295
ZipFileName: ea537a0d-4c76-43cd-40d8-08dd31b81a2e/34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
30
Malicious processes
14
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe ai.exe no specs winrar.exe comprobante_swift_8676534657698632.exe no specs #AGENTTESLA regasm.exe svchost.exe comprobante_swift_8676534657698632.exe regasm.exe no specs #AGENTTESLA regasm.exe taskmgr.exe no specs taskmgr.exe comprobante_swift_8676534657698632.exe #AGENTTESLA regasm.exe outlook.exe no specs winrar.exe comprobante_swift_8676534657698632.exe regasm.exe no specs regasm.exe no specs #AGENTTESLA regasm.exe rundll32.exe no specs winrar.exe no specs outlook.exe no specs comprobante_swift_8676534657698632.exe no specs #AGENTTESLA regasm.exe comprobante_swift_8676534657698632.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Mensajes en cuarentena (2).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6784"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIb6556.26634\34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3208"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "85F7EAE6-37E0-40F6-B7F0-D7A445174529" "683CD170-0E0D-4EC4-A5CB-80CEAC7A74AD" "6784"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\SEC6IL85\Comprobante_swift_8676534657698632.uue"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6012"C:\Users\admin\AppData\Local\Temp\Rar$EXa5564.28098\Comprobante_swift_8676534657698632.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5564.28098\Comprobante_swift_8676534657698632.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5564.28098\comprobante_swift_8676534657698632.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6328"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Comprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6776"C:\Users\admin\Desktop\Comprobante_swift_8676534657698632.exe" C:\Users\admin\Desktop\Comprobante_swift_8676534657698632.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\comprobante_swift_8676534657698632.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7032"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeComprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7020"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Comprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
30 599
Read events
29 252
Write events
1 176
Delete events
171

Modification events

(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Mensajes en cuarentena (2).zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Operation:writeName:Outlook.File.eml.15
Value:
Executable files
3
Suspicious files
22
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6784OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\olk9C24.tmpbinary
MD5:13AB33633D1EB79455ABDC598B373402
SHA256:D7250F51131DD2B8285F2703832879AE3D245721ECB1DE955CD8499BD265F23D
6556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb6556.26634\34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.eml:OECustomPropertybinary
MD5:D651CE128A7834CA1ED398336D085042
SHA256:1F000015313DDB29B0B81FC8229958A625236C93CAEACE0E94F54520E5D39B2B
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_EB36C9A0888E1D4BB18563C81F4F5FE0.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
6556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb6556.26634\34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.emlbinary
MD5:6358B582F0250F9A07FC4121E9E2DAB8
SHA256:14D2CD178F3180E95EEE7949E9E61DC45B7224E5CA2D704E5C59DE8D45DFB2FE
6784OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:71A1407A7319F8E35C6B9E7D3DD0E793
SHA256:616E3E561DBFC729DDC325394F74FA3906C9038956A9A7CCA0E689444A63216E
5564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5564.28098\Comprobante_swift_8676534657698632.exeexecutable
MD5:20536D622FB95BEE3D87757E3EFA74E0
SHA256:A3A54505CB30E3EDA94163B884011C9547BDF83FFDB0CD83DBFF798C5345948F
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\SEC6IL85\Comprobante_swift_8676534657698632 (002).uuecompressed
MD5:1720019D950FDA4F8F10BF52F77A2A6C
SHA256:757BEB4F94AABE0A81B9502B1AC2ACB45C6C93B48118A116DE10D7C85C718473
6784OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:9CA372F599540F97E3E5D3AE1F36355D
SHA256:791CD0982E0FFE0EB15D847BCBA9293D45593AE6B583361984BB030EACF12F21
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
58
DNS requests
31
Threats
51

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3692
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6784
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
3692
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6784
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6328
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
432
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1876
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
92.123.104.63:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3040
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.173
  • 23.48.23.179
  • 23.48.23.178
  • 23.48.23.176
  • 23.48.23.160
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 92.123.104.63
  • 92.123.104.34
  • 92.123.104.31
  • 92.123.104.38
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.106.86.13
  • 4.231.128.59
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
ET MALWARE AgentTesla Exfil via FTP
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
10 ETPRO signatures available at the full report
No debug info