analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tequilla.exe

Full analysis: https://app.any.run/tasks/003c73ac-220d-4682-847e-f73e238272ab
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: January 11, 2019, 12:46:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
darktequila
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

9FBDC5ECA123E81571E8966B9B4E4A1E

SHA1:

7A5B7C5378E0AFCC77098A87358E4F6A032D3B00

SHA256:

DCE2D575BEF073079C658EDFA872A15546B422AD2B74267D33B386DC7CC85B47

SSDEEP:

12288:vzqKbHTadreUv6e2faqsW8lEsbjwepi8K2cE4b5wxH5/uek6JA6QfmpFiMtMv7uL:RPaFnCec8vj1p7pc5bQZ/uesmoqt7j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 2604)
    • Connects to CnC server

      • svchost.exe (PID: 2604)
    • DARKTEQUILA was detected

      • svchost.exe (PID: 2604)
    • Deletes the SafeBoot registry key

      • svchost.exe (PID: 2604)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • svchost.exe (PID: 2604)
      • tequilla.exe (PID: 3332)
    • Low-level read access rights to disk partition

      • tequilla.exe (PID: 3332)
      • svchost.exe (PID: 2604)
    • Executable content was dropped or overwritten

      • tequilla.exe (PID: 3332)
    • Removes files from Windows directory

      • svchost.exe (PID: 2604)
    • Application launched itself

      • tequilla.exe (PID: 3500)
    • Creates files in the user directory

      • tequilla.exe (PID: 3332)
    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2604)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xe1ad0
UninitializedDataSize: 49152
InitializedDataSize: 4096
CodeSize: 876544
LinkerVersion: 10
PEType: PE32
TimeStamp: 1999:12:05 05:15:29+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-1999 04:15:29
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 05-Dec-1999 04:15:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0000C000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0000D000
0x000D6000
0x000D5800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99964
.rsrc
0x000E3000
0x00001000
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.68191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.56279
744
UNKNOWN
English - United States
RT_ICON
2
2.44714
296
UNKNOWN
English - United States
RT_ICON
IDI_MAIN_ICON
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

KERNEL32.DLL
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start tequilla.exe no specs tequilla.exe #DARKTEQUILA svchost.exe SPPSurrogate no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3500"C:\Users\admin\AppData\Local\Temp\tequilla.exe" C:\Users\admin\AppData\Local\Temp\tequilla.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3332"C:\Users\admin\appdata\local\temp\tequilla.exe" C:\Users\admin\appdata\local\temp\tequilla.exe
tequilla.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2604C:\Windows\system32\svchost.exe -k WcsrssC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2224C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\system32\DllHost.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2844C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
569
Read events
416
Write events
147
Delete events
6

Modification events

(PID) Process:(3500) tequilla.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3500) tequilla.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:Description
Value:
This service manages client to server coordination in the local system.
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:DisplayName
Value:
Windows Client Server Runtime Subsystem
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:ImagePath
Value:
%SystemRoot%\system32\svchost.exe -k Wcsrss
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:ObjectName
Value:
LocalSystem
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:ErrorControl
Value:
0
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:Start
Value:
2
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:Type
Value:
16
(PID) Process:(3332) tequilla.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
Operation:writeName:FailureActions
Value:
00000000000000000000000001000000140000000100000000000000
Executable files
1
Suspicious files
5
Text files
0
Unknown types
19

Dropped files

PID
Process
Filename
Type
3332tequilla.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Cab227D.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Tar227E.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Cab229E.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Tar229F.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Cab3761.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\Tar3762.tmp
MD5:
SHA256:
2604svchost.exeC:\Windows\TEMP\1547210903.bat
MD5:
SHA256:
3332tequilla.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solsol
MD5:3D751E40681FE84C011A7EB5C59A3515
SHA256:F39D3D4C50AD7F65CB83DF9F33FC2F67FB421AF7DCFFA38ACDB4B01D2DD0F9CB
2604svchost.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:A902CF373E02F7DC34F456ED7449279C
SHA256:EA0C12AEDEA644678014991A96534145E85AA12CD8955396DFDC98A4FC96F0D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2604
svchost.exe
GET
301
108.174.10.10:80
http://linkedin.com/
US
whitelisted
2604
svchost.exe
GET
302
65.55.163.80:80
http://login.live.com/
US
whitelisted
2604
svchost.exe
GET
302
65.55.50.189:80
http://update.microsoft.com/
US
html
151 b
whitelisted
2604
svchost.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
svchost.exe
108.174.10.10:80
linkedin.com
LinkedIn Corporation
US
suspicious
2604
svchost.exe
65.55.50.189:80
update.microsoft.com
Microsoft Corporation
US
whitelisted
2604
svchost.exe
74.86.70.102:443
SoftLayer Technologies Inc.
US
malicious
2604
svchost.exe
65.55.163.80:80
login.live.com
Microsoft Corporation
US
whitelisted
2604
svchost.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
update.microsoft.com
  • 65.55.50.189
  • 104.45.184.101
whitelisted
login.live.com
  • 65.55.163.80
  • 65.55.163.78
  • 65.55.163.76
whitelisted
linkedin.com
  • 108.174.10.10
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
2604
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.DarkTequila Malicious SSL Cert
2604
svchost.exe
A Network Trojan was detected
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)
2604
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.DarkTequila Malicious SSL Cert
2604
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.DarkTequila Malicious SSL connection
No debug info