URL: | https://s321.duckdns.org/v/c/g/t/ |
Full analysis: | https://app.any.run/tasks/c7d7aa91-742b-4210-8d2a-072edee22485 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 19, 2019, 04:50:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | D59C5CF9D38F5862795F1EB1D22DB34D |
SHA1: | B7B73CFF4F1E756282B15FBEBAB7DFA1EF8D522F |
SHA256: | E78BBE7536E79E2DAEC42AF1600887F361C565DC0EFAE40D6E53C6F990634DB0 |
SSDEEP: | 3:N8WCLWisi:2WIWli |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3576 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://s321.duckdns.org/v/c/g/t/" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4064 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3576 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3824 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\g222[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\g222[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
356 | "schtasks.exe" /query | C:\Windows\system32\schtasks.exe | — | g222[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3628 | "schtasks.exe" /create /sc MINUTE /tn dsg /MO 1 /tr C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\g222[1].exe | C:\Windows\system32\schtasks.exe | — | g222[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2484 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | g222[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 4294967295 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2388 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\putty[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\putty[1].exe | — | iexplore.exe |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Exit code: 0 Version: Release 0.72 (with embedded help) | ||||
2376 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\the[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\the[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3684 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | the[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2532 | "C:\Windows\System32\msiexec.exe" | C:\Windows\System32\msiexec.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3576 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3576 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab9EB5.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar9EB6.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab9EC7.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar9EC8.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabAC85.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarAC86.tmp | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | binary | |
MD5:55B280D42F86486F9CF370E6FE9489C9 | SHA256:BF89AF256BB3B0D2C39729F673D681AD34909C27D11CAC5969EAB0ED2C554A33 | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:166370A4E9C5D6008FA53F683FFBAC00 | SHA256:916AC424D6BFEDE88B142C81E8D41BE576CECCD7054F90109D2F63A0305AE6AF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2768 | RegAsm.exe | GET | 200 | 18.214.132.216:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
276 | explorer.exe | GET | 301 | 104.221.216.171:80 | http://www.jingyimx.com/nx/?pPx=zkugRN2tzGJEhPxBzYlLh0OQ41H1Tm05zd4OlCBLsrvrfIsOaBhkOu+axv+FxM87aN2bUw==&pB=jliTiHT8W | US | html | 158 b | malicious |
2792 | RegAsm.exe | GET | 200 | 52.55.255.113:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
276 | explorer.exe | GET | — | 208.91.197.27:80 | http://www.makemypalns.com/nx/?pPx=ApT8EAiMFA2+XJLCRmgCZm8rhvVcwq/I/QK9sQO578BDe9Iv1LXHeXrScLYaCIMT5AmOkA==&pB=jliTiHT8W&sql=1 | US | — | — | malicious |
2792 | RegAsm.exe | GET | 200 | 52.55.255.113:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
2484 | RegAsm.exe | GET | 200 | 18.205.71.63:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
2768 | RegAsm.exe | GET | 200 | 18.214.132.216:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
2860 | RegAsm.exe | GET | 200 | 18.205.71.63:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
276 | explorer.exe | GET | 302 | 54.208.77.124:80 | http://www.worldsbestfathers.com/nx/?pPx=UaeCgaZsVdNoQTzSynKueu2VBZ3WVeazCAxAYjUxIFyArxvRwJX57GVEGlvLNXIYuzpSvQ==&pB=jliTiHT8W&sql=1 | US | html | 309 b | malicious |
276 | explorer.exe | POST | — | 54.208.77.124:80 | http://www.worldsbestfathers.com/nx/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3576 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2768 | RegAsm.exe | 18.214.132.216:80 | checkip.amazonaws.com | — | US | shared |
2484 | RegAsm.exe | 18.205.71.63:80 | checkip.amazonaws.com | — | US | shared |
4064 | iexplore.exe | 8.248.101.254:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
4064 | iexplore.exe | 23.249.163.172:443 | s321.duckdns.org | ColoCrossing | US | malicious |
2628 | RegAsm.exe | 18.214.132.216:80 | checkip.amazonaws.com | — | US | shared |
276 | explorer.exe | 54.208.77.124:80 | www.worldsbestfathers.com | Amazon.com, Inc. | US | malicious |
276 | explorer.exe | 104.221.216.171:80 | www.jingyimx.com | eSited Solutions | US | malicious |
3576 | iexplore.exe | 23.249.163.172:443 | s321.duckdns.org | ColoCrossing | US | malicious |
276 | explorer.exe | 217.160.0.29:80 | www.forstfex.com | 1&1 Internet SE | DE | malicious |
Domain | IP | Reputation |
---|---|---|
s321.duckdns.org |
| malicious |
www.bing.com |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
www.thatcraftychick.com |
| unknown |
www.jingyimx.com |
| malicious |
www.www719234.com |
| unknown |
www.worldsbestfathers.com |
| malicious |
www.forstfex.com |
| malicious |
www.873dwo.info |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2484 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2768 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2628 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
276 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |