File name:	d9364e2fb7ce18950dd9ca2e1de5a66a23cafa3d8c37d309d98ef4419bd700d8
Full analysis:	https://app.any.run/tasks/d512063e-9076-41ed-b3e2-a039c643d42c
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 08, 2024, 22:50:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion stealer agenttesla ftp exfiltration
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	B5387756A13C498BFD5D263E2F18FF25
SHA1:	6B77966AF7A38E3E617FA15EA5AFD0A09D8BA2FE
SHA256:	D9364E2FB7CE18950DD9CA2E1DE5A66A23CAFA3D8C37D309D98EF4419BD700D8
SSDEEP:	12288:cJlSoEFckTHWluwu87+3a5P+6BMPxbpxOzL0XVU:cJlSoEFckTHWlubQ+3ag6BMP1iLCU

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:12:08 09:23:42
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Statement Of Account USD 26,162.21/


(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\d9364e2fb7ce18950dd9ca2e1de5a66a23cafa3d8c37d309d98ef4419bd700d8.zip
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6460) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6728) Statement Of Account USD 26,162.21.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Statement Of Account USD 26,162_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6728) Statement Of Account USD 26,162.21.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Statement Of Account USD 26,162_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
6728	Statement Of Account USD 26,162.21.exe	C:\Users\admin\AppData\Roaming\Adobe\adobe.exe		executable
		MD5:74421477FAFAF6BEB9D8E3806E1F6643	SHA256:EDB50E85473329F205F9CDE2FCA57605B2DCAFCA75C12C9DA52632BFC4249F26
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6460.5018\Rar$Scan8602.bat		text
		MD5:21443CAF97F0DE9BC889D3F4C8034403	SHA256:647357C74E74375566B52D3797F99A276DD8F90A8F5F306A37F4CFDC1001458F
7156	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		text
		MD5:8F4EFD46F07663F8860D550DF14C5A79	SHA256:2DF75D1A2E7EA51E139DDA9F360620380DA476DED78950C03604C68168BDD94C
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6460.5018\d9364e2fb7ce18950dd9ca2e1de5a66a23cafa3d8c37d309d98ef4419bd700d8.zip\Statement Of Account USD 26,162.21\Statement Of Account USD 26,162.21.exe		executable
		MD5:74421477FAFAF6BEB9D8E3806E1F6643	SHA256:EDB50E85473329F205F9CDE2FCA57605B2DCAFCA75C12C9DA52632BFC4249F26
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6460.8432\Rar$Scan42584.bat		text
		MD5:3B356E26AE9E273607DDAE90A9396C3E	SHA256:5163E031B19BEE8EA6799C4FEF07BC1A6B2F92883FF18B99631204E43AA4A8DF
6460	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6460.8432\d9364e2fb7ce18950dd9ca2e1de5a66a23cafa3d8c37d309d98ef4419bd700d8.zip\Statement Of Account USD 26,162.21\Statement Of Account USD 26,162.21.exe		executable
		MD5:74421477FAFAF6BEB9D8E3806E1F6643	SHA256:EDB50E85473329F205F9CDE2FCA57605B2DCAFCA75C12C9DA52632BFC4249F26

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	104.26.12.205:443	https://api.ipify.org/	unknown	text	14 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3040	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3976	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6728	Statement Of Account USD 26,162.21.exe	104.26.12.205:443	api.ipify.org	CLOUDFLARENET	US	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	2.23.209.149 2.23.209.187 2.23.209.133 2.23.209.182 2.23.209.140 2.23.209.130	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
api.ipify.org	104.26.12.205 104.26.13.205 172.67.74.152	shared
s4.serv00.com	213.189.52.181	unknown
self.events.data.microsoft.com	20.50.201.201	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6728	Statement Of Account USD 26,162.21.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
6728	Statement Of Account USD 26,162.21.exe	Potential Corporate Privacy Violation	ET POLICY Possible IP Check api.ipify.org
6728	Statement Of Account USD 26,162.21.exe	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
6728	Statement Of Account USD 26,162.21.exe	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
6728	Statement Of Account USD 26,162.21.exe	A Network Trojan was detected	ET MALWARE AgentTesla Exfil via FTP
—	—	Misc activity	INFO [ANY.RUN] FTP protocol command for uploading a file
6728	Statement Of Account USD 26,162.21.exe	Misc activity	INFO [ANY.RUN] FTP server is ready for the new user

General Info

d9364e2fb7ce18950dd9ca2e1de5a66a23cafa3d8c37d309d98ef4419bd700d8

B5387756A13C498BFD5D263E2F18FF25

6B77966AF7A38E3E617FA15EA5AFD0A09D8BA2FE

D9364E2FB7CE18950DD9CA2E1DE5A66A23CAFA3D8C37D309D98EF4419BD700D8

12288:cJlSoEFckTHWluwu87+3a5P+6BMPxbpxOzL0XVU:cJlSoEFckTHWlubQ+3ag6BMP1iLCU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Steals credentials from Web Browsers

Changes the autorun value in the registry

Actions looks like stealing of personal data

Connects to the CnC server

AGENTTESLA has been detected (SURICATA)

Stealers network behavior

Antivirus name has been found in the command line (generic signature)

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Application launched itself

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Checks for external IP

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Connects to FTP

Connects to unusual port

INFO

Manual execution by a user

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads the software policy settings

Disables trace logs

Creates files or folders in the user directory

Checks proxy server information

The process uses the downloaded file

Create files in a temporary directory

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats