File name: | 46YhX91Wb2zKPyyKUGF.eml |
Full analysis: | https://app.any.run/tasks/dad059aa-9823-4b48-bbae-7b53814f35d1 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 19, 2019, 08:08:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | CEAB3CEA6F4ADF99C9FA5010EF17B747 |
SHA1: | 427AAA65DB68573FDC6A28C50A19FBCE008FF1F4 |
SHA256: | DAA748F2CA161BF6A8960B3C04CABD09CBAD4D494C4B009F5813C3E54A79FA72 |
SSDEEP: | 24576:vLp5WVJMiLzsyOE3hvCEav6qcGkptrLegC/nw3l2VMWeIrYR30dK0qDKDgeLOR7z:vLda3JPaIRtHegCfwMfcRdDKZGHvSl6 |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3504 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\46YhX91Wb2zKPyyKUGF.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3024 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N10KKQKJ\MAERSK LINE SHIPPING DOCUMENT.tar" | C:\Program Files\WinRAR\WinRAR.exe | OUTLOOK.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2664 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.7630\MAERSK LINE SHIPPING DOCUMENT.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.7630\MAERSK LINE SHIPPING DOCUMENT.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3560 | "C:\Users\admin\AppData\Local\Temp\28535807\hao.exe" uvqolw | C:\Users\admin\AppData\Local\Temp\28535807\hao.exe | — | MAERSK LINE SHIPPING DOCUMENT.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 8, 1 | ||||
4028 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | hao.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9A70.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp9CA3.tmp | — | |
MD5:— | SHA256:— | |||
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N10KKQKJ\MAERSK LINE SHIPPING DOCUMENT (2).tar\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2664 | MAERSK LINE SHIPPING DOCUMENT.exe | C:\Users\admin\AppData\Local\Temp\28535807\uvqolw | — | |
MD5:— | SHA256:— | |||
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\829110EA.dat | image | |
MD5:5EC1D8C7A7C67A0D07AC79B04A7BF0B0 | SHA256:66C7DDF5CA264BC04581462C466196CA77546EAD7E940D5011D890582DB66630 | |||
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:1636EA9805E8BA1E416F19732CA1165D | SHA256:4DBD717E47D7B4EB6EAB4600E92E6454EB08D81239636BF830FEED2A1262E83A | |||
2664 | MAERSK LINE SHIPPING DOCUMENT.exe | C:\Users\admin\AppData\Local\Temp\28535807\sof.ico | text | |
MD5:73693449B97A1BE53AA122B7435C1C96 | SHA256:C42B80FAD47814E56EFB1BDC75F5ABD6DEA916221771EE8F87A898C624AEBAFA | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.7630\MAERSK LINE SHIPPING DOCUMENT.exe | executable | |
MD5:BBC3B0D8589CED9B63CCFB075657F5F6 | SHA256:19441C9E6D1C48D444B9D7423676F66E129407E4DD28CDED2B240DE0F77BF03F | |||
2664 | MAERSK LINE SHIPPING DOCUMENT.exe | C:\Users\admin\AppData\Local\Temp\28535807\jkf.dat | text | |
MD5:A4ACDA08AA047DC50F5D20CD92E9CCBE | SHA256:383D6CAFAAD85736708FD524CD601C731B9725CACF0ECDE6D7FA367204B5BD0E | |||
3504 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{978D2271-7266-43D1-A71F-69940C8D34C9}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4028 | RegSvcs.exe | GET | 200 | 3.224.145.145:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3504 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
4028 | RegSvcs.exe | 3.224.145.145:80 | checkip.amazonaws.com | — | US | shared |
4028 | RegSvcs.exe | 199.193.7.228:587 | smtp.privateemail.com | Namecheap, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
smtp.privateemail.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4028 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
4028 | RegSvcs.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |