File name:

Mensajes en cuarentena (2).zip

Full analysis: https://app.any.run/tasks/dfbaac18-6ccc-440f-a57e-f247d884f5e5
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: January 10, 2025, 21:18:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-unc
arch-exec
evasion
stealer
agenttesla
ftp
exfiltration
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

E59D7DA9EA3112DF8D097A3DC75CBBA5

SHA1:

ADB0F354A75BE0ABAC24A2E5E7EEF399EA1DB71B

SHA256:

D7F7DF47472593076077B7052725B8440A32637BC54FB8AFAB9FE3868C50A443

SSDEEP:

24576:WXoPVvDWrFUL15HhiNkBZhy2w+eL6THb4FgCM4FHs8URzVgz2:WXoPVvDWrFUL15HhiNaZhy2w+eL6THbB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • AGENTTESLA has been detected (SURICATA)

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Connects to the CnC server

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • AGENTTESLA has been detected (YARA)

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 7152)
    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 7152)
    • Connects to FTP

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
    • Checks for external IP

      • svchost.exe (PID: 2192)
      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 7136)
      • RegAsm.exe (PID: 432)
    • Connects to unusual port

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
  • INFO

    • The sample compiled with german language support

      • OUTLOOK.EXE (PID: 6784)
      • WinRAR.exe (PID: 6556)
      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 5964)
      • WinRAR.exe (PID: 7152)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6556)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 5964)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 6556)
      • OUTLOOK.EXE (PID: 6784)
      • WinRAR.exe (PID: 5564)
      • WinRAR.exe (PID: 7152)
    • Reads the computer name

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 432)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • RegAsm.exe (PID: 6684)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
    • Checks supported languages

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • RegAsm.exe (PID: 1760)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • RegAsm.exe (PID: 432)
      • RegAsm.exe (PID: 7136)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
      • RegAsm.exe (PID: 6684)
    • Disables trace logs

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 1760)
      • RegAsm.exe (PID: 7136)
    • Reads the machine GUID from the registry

      • Comprobante_swift_8676534657698632.exe (PID: 6012)
      • RegAsm.exe (PID: 6328)
      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 1760)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • RegAsm.exe (PID: 7136)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
    • Checks proxy server information

      • RegAsm.exe (PID: 6328)
      • RegAsm.exe (PID: 1760)
    • Manual execution by a user

      • Comprobante_swift_8676534657698632.exe (PID: 6776)
      • Taskmgr.exe (PID: 5604)
      • Comprobante_swift_8676534657698632.exe (PID: 2672)
      • Taskmgr.exe (PID: 1596)
      • OUTLOOK.EXE (PID: 1140)
      • Comprobante_swift_8676534657698632.exe (PID: 1080)
      • WinRAR.exe (PID: 7152)
      • Comprobante_swift_8676534657698632.exe (PID: 6424)
      • Comprobante_swift_8676534657698632.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ea537a0d-4c76-43cd-40d8-08dd31b81a2e/34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.eml
ZipUncompressedSize: 4294967295
ZipCompressedSize: 4294967295
ZipCRC: 0x6f56136e
ZipModifyDate: 2025:01:10 20:57:50
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 45
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
30
Malicious processes
14
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe ai.exe no specs winrar.exe comprobante_swift_8676534657698632.exe no specs #AGENTTESLA regasm.exe svchost.exe comprobante_swift_8676534657698632.exe regasm.exe no specs #AGENTTESLA regasm.exe taskmgr.exe no specs taskmgr.exe comprobante_swift_8676534657698632.exe #AGENTTESLA regasm.exe outlook.exe no specs winrar.exe comprobante_swift_8676534657698632.exe regasm.exe no specs regasm.exe no specs #AGENTTESLA regasm.exe rundll32.exe no specs winrar.exe no specs outlook.exe no specs comprobante_swift_8676534657698632.exe no specs #AGENTTESLA regasm.exe comprobante_swift_8676534657698632.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Mensajes en cuarentena (2).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6784"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIb6556.26634\34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3208"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "85F7EAE6-37E0-40F6-B7F0-D7A445174529" "683CD170-0E0D-4EC4-A5CB-80CEAC7A74AD" "6784"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\SEC6IL85\Comprobante_swift_8676534657698632.uue"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6012"C:\Users\admin\AppData\Local\Temp\Rar$EXa5564.28098\Comprobante_swift_8676534657698632.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5564.28098\Comprobante_swift_8676534657698632.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5564.28098\comprobante_swift_8676534657698632.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6328"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Comprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6776"C:\Users\admin\Desktop\Comprobante_swift_8676534657698632.exe" C:\Users\admin\Desktop\Comprobante_swift_8676534657698632.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\comprobante_swift_8676534657698632.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7032"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeComprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7020"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Comprobante_swift_8676534657698632.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
30 599
Read events
29 252
Write events
1 176
Delete events
171

Modification events

(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Mensajes en cuarentena (2).zip
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6556) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Operation:writeName:Outlook.File.eml.15
Value:
Executable files
3
Suspicious files
22
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6784OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\916AC5B3-FF76-420B-A366-FF6ABA25CE5Dxml
MD5:FA909E27BCF04A6098C56E8BD55484EC
SHA256:4968E5A831C79316394603409697B3C6AA92B36F9DE2D31D1202A43E99550D24
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:AB0AE6594E31622A1E7CB63DEC4F926C
SHA256:2E46ED781493A2811F73D75173C0C8C16C01C7F6ED590772613E56D1824032D7
6784OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:B8F6F5C9002791127F5B529C07BFCE07
SHA256:7EF39CCD741DEB8FCAE83BE66960EFA4B8B3C3150BCE9E9D67DAC784DFC1FE15
6556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb6556.26634\34a3e8c0-6921-02e0-b21e-bc1f8571e6fd.emlbinary
MD5:6358B582F0250F9A07FC4121E9E2DAB8
SHA256:14D2CD178F3180E95EEE7949E9E61DC45B7224E5CA2D704E5C59DE8D45DFB2FE
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:DD159D070F5486E5045A4ECF74DC361F
SHA256:31830E2FD13CF4B1561DCB07D443E2918D633D5C3ECFAAF4AE25D6DFABF676A1
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:96FB7C55659946D88A504895C533F5D2
SHA256:24103A95A005927A6752555593F8EB40486FC0CDD951C51A172B8B03F35B2377
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_EB36C9A0888E1D4BB18563C81F4F5FE0.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
6784OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:2406D6C215D2203F3FE97D33E1F66F57
SHA256:29812EDF9F7BDBB24C48E758C461B3A9C77CE46632696F84646D85BA9825160D
6784OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\SEC6IL85\Comprobante_swift_8676534657698632 (002).uue:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
58
DNS requests
31
Threats
51

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6784
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
1760
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
3692
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6328
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
432
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
7136
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
3692
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1876
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
92.123.104.63:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3040
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.173
  • 23.48.23.179
  • 23.48.23.178
  • 23.48.23.176
  • 23.48.23.160
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 92.123.104.63
  • 92.123.104.34
  • 92.123.104.31
  • 92.123.104.38
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.106.86.13
  • 4.231.128.59
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
ET MALWARE AgentTesla Exfil via FTP
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
10 ETPRO signatures available at the full report
No debug info