File name: | Samples and Enquiries.exe |
Full analysis: | https://app.any.run/tasks/4f848017-cc14-4691-817c-d6c28b2556cf |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | October 14, 2019, 19:59:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 499E717756349E038B824DC9CCBF640E |
SHA1: | FF1ACD16AF1F856B91117C176D15CBD2F674D96C |
SHA256: | DE52D0C2FE133D9D39B41FE50C361FC0E404DB1564B287723290E5BED26ACEC1 |
SSDEEP: | 12288:EkLJnjCb2WuCgRACKCkD40JSXluuSSXgAe:EkLc6WuCgRACKFJSXluu5N |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
OriginalFileName: | GASas.exe |
---|---|
InternalName: | GASas |
ProductVersion: | 1.01.0003 |
FileVersion: | 1.01.0003 |
ProductName: | AMmiccova |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.1.0.3 |
FileVersionNumber: | 1.1.0.3 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 1.1 |
OSVersion: | 4 |
EntryPoint: | 0x1334 |
UninitializedDataSize: | - |
InitializedDataSize: | 16384 |
CodeSize: | 548864 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2015:08:23 04:22:26+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Aug-2015 02:22:26 |
Detected languages: |
|
ProductName: | AMmiccova |
FileVersion: | 1.01.0003 |
ProductVersion: | 1.01.0003 |
InternalName: | GASas |
OriginalFilename: | GASas.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000B8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 23-Aug-2015 02:22:26 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00085EC4 | 0x00086000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.06243 |
.data | 0x00087000 | 0x0000116C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00089000 | 0x00001D3C | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.96829 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.24049 | 484 | Unicode (UTF 16LE) | English - United States | RT_VERSION |
30001 | 3.6365 | 2664 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30002 | 5.98653 | 2216 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
30003 | 6.06042 | 1736 | Unicode (UTF 16LE) | UNKNOWN | RT_ICON |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2096 | "C:\Users\admin\AppData\Local\Temp\Samples and Enquiries.exe" | C:\Users\admin\AppData\Local\Temp\Samples and Enquiries.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.01.0003 | ||||
3616 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\loginrelease.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1096 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4080 | "C:\Users\admin\AppData\Local\Temp\Samples and Enquiries.exe" | C:\Users\admin\AppData\Local\Temp\Samples and Enquiries.exe | Samples and Enquiries.exe | |
User: admin Integrity Level: MEDIUM Version: 1.01.0003 | ||||
3160 | C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2608 | dw20.exe -x -s 1188 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | Samples and Enquiries.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Version: 2.0.50727.4927 (NetFXspW7.050727-4900) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRCDBA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9F2345EDA5E6153E0886775F038E318A | SHA256:73AA50DC19C590CDEBF6CF838F9756215415427B785B47AB6041CDE4B496885B | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\loginrelease.rtf.LNK | lnk | |
MD5:CBA60C2CAD909417CD6F6705ECD23203 | SHA256:0FA6B61B36572CD459910B4FE06F8DD810A381C98A7041CF8049F1DDCA17F691 | |||
4080 | Samples and Enquiries.exe | C:\Users\admin\AppData\Roaming\MyApp\MyApp.exe | executable | |
MD5:499E717756349E038B824DC9CCBF640E | SHA256:DE52D0C2FE133D9D39B41FE50C361FC0E404DB1564B287723290E5BED26ACEC1 | |||
4080 | Samples and Enquiries.exe | C:\Users\admin\AppData\Local\Temp\637066836427183360_c3a1dc1d-5dd5-47ae-8248-3a40e9765727.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3616 | WINWORD.EXE | C:\Users\admin\Desktop\~$ginrelease.rtf | pgc | |
MD5:E316563D9AB42B33EC7A742EAB6D6548 | SHA256:49FAEC3D8BA1669F656B161353E1EBE5DEDCCB406049430A0DE392A5DD9C837C | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:08DDFE32B214CECC3D96B9598266EE84 | SHA256:24B73FA41BC449FF6B39F5E1B20D0098CA50C20822AB1B0B777994B129B1C857 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4080 | Samples and Enquiries.exe | 173.254.28.237:587 | mail.amethishipping.com | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
mail.amethishipping.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4080 | Samples and Enquiries.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |