File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/7c8a374c-625a-42c3-9d8c-2ffb457942d2 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 02, 2019, 16:34:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 480AE4B30B8F277160393BB4A218D57E |
SHA1: | C075B2B593125DBCECB24A29060FD0CAF795BBF0 |
SHA256: | 1790E4990810953B92399F479EB386FBE32C410BE0638D3B6D1C2DA76CB62AB6 |
SSDEEP: | 12288:diEUeRxtMFuzqgU1lR89w9Ki3fLMjrLZ9yt6hzIkJ1Be04mFRep77V6Z2xt8:dFUAMF63qD8yU0fLMu8JIkJ+iF4V6Uf8 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2168 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3824 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3480 | "C:\Users\admin\AppData\Roaming\myneworiginoj4723.com" | C:\Users\admin\AppData\Roaming\myneworiginoj4723.com | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3468 | "C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe" | C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe | — | myneworiginoj4723.com |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2476 | "C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe" | C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe | myneworig.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA514.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3480 | myneworiginoj4723.com | C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
3824 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\myneworiginoj4723.com | executable | |
MD5:1AE9ABDEA9ACEF348A57939DE8A70F76 | SHA256:606643C613E74EFFF593BB2B0BF6DCAAADC72315EEFE34401242E1E68E025641 | |||
2476 | myneworig.exe | C:\Users\admin\AppData\Local\Temp\637109013291532500_567e3dc4-f0e5-4f19-981b-ac091f262424.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4DD679252EF198318E5843C389A80323 | SHA256:A8D8332EBC9360A8AD405C6AC6E9F9ABCE4C06ED99738C664B766A9125D0B476 | |||
3480 | myneworiginoj4723.com | C:\Users\admin\AppData\Roaming\myneworignsz\myneworig.exe | executable | |
MD5:1AE9ABDEA9ACEF348A57939DE8A70F76 | SHA256:606643C613E74EFFF593BB2B0BF6DCAAADC72315EEFE34401242E1E68E025641 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.doc | pgc | |
MD5:C8E1DD7E439BD9F916994B04425773F6 | SHA256:2BB748810566F4E4227F17404BFB82D5AC94ABF05F098F86F2B467848421C291 | |||
3824 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\myneworigin[1].exe | executable | |
MD5:1AE9ABDEA9ACEF348A57939DE8A70F76 | SHA256:606643C613E74EFFF593BB2B0BF6DCAAADC72315EEFE34401242E1E68E025641 | |||
2476 | myneworig.exe | C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe | executable | |
MD5:1AE9ABDEA9ACEF348A57939DE8A70F76 | SHA256:606643C613E74EFFF593BB2B0BF6DCAAADC72315EEFE34401242E1E68E025641 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3824 | EQNEDT32.EXE | GET | 200 | 162.144.128.116:80 | http://dubem.top/myneworigin/myneworigin.exe | US | executable | 1.05 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2476 | myneworig.exe | 52.44.169.135:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3824 | EQNEDT32.EXE | 162.144.128.116:80 | dubem.top | Unified Layer | US | malicious |
2476 | myneworig.exe | 199.168.188.2:587 | mail.jointexbd.com | HostDime.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
dubem.top |
| unknown |
checkip.amazonaws.com |
| shared |
mail.jointexbd.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3824 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
3824 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3824 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3824 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2476 | myneworig.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2476 | myneworig.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |