File name: | NEW_ORDER.zip |
Full analysis: | https://app.any.run/tasks/ad9108a3-d918-43a9-8ebc-6bbb12dbb95f |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | August 08, 2020, 13:36:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3A222E89F530A0C89F3E60099D10A9C4 |
SHA1: | 92BD2B8EA98CCC5AB616E660963E0E4C8400CA59 |
SHA256: | 20286DCA7A649BFC31E5F48CFB112B22675E7CEB7443E7D5DD86B711C5A450D0 |
SSDEEP: | 192:+zX7zuHcR/O2gtEG9w3gvJhn4r0yEOmBuHPIeSXlbLZQn/5h:8X7zIi/gV5vr4r0pOguvUVbLZq/5h |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | NEW_ORDER.doc |
---|---|
ZipUncompressedSize: | 14638 |
ZipCompressedSize: | 8399 |
ZipCRC: | 0x9305eb99 |
ZipModifyDate: | 2020:08:08 22:35:23 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2272 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NEW_ORDER.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2900 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\NEW_ORDER.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3212 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
868 | "C:\Users\admin\AppData\Roaming\simonyi4536.exe" | C:\Users\admin\AppData\Roaming\simonyi4536.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: 2048 Exit code: 0 Version: 1.0.0.0 | ||||
2860 | "C:\Users\admin\AppData\Roaming\simonyi4536.exe" | C:\Users\admin\AppData\Roaming\simonyi4536.exe | simonyi4536.exe | |
User: admin Integrity Level: MEDIUM Description: 2048 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2272 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2272.15296\NEW_ORDER.doc | — | |
MD5:— | SHA256:— | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1ECC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2860 | simonyi4536.exe | C:\Users\admin\AppData\Roaming\mmghsc3w.3ud\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
2860 | simonyi4536.exe | C:\Users\admin\AppData\Roaming\mmghsc3w.3ud\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
3212 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\simonxz[1].exe | executable | |
MD5:E2D25F27B54801B0AFFC0F74DB7A7D7D | SHA256:88C185B4ECB8EE351E754628627AF848C84B41FAC29E7DAE98A33FECF0FF9424 | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3805F136661317540C6EC942CB4DDB86 | SHA256:B169BFA607B67C465232CEF3BDE788F9F012B9F19AFE71298AAD4B521289DA4E | |||
3212 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\simonyi4536.exe | executable | |
MD5:E2D25F27B54801B0AFFC0F74DB7A7D7D | SHA256:88C185B4ECB8EE351E754628627AF848C84B41FAC29E7DAE98A33FECF0FF9424 | |||
2860 | simonyi4536.exe | C:\Users\admin\AppData\Local\Temp\simon\simon.exe | executable | |
MD5:E2D25F27B54801B0AFFC0F74DB7A7D7D | SHA256:88C185B4ECB8EE351E754628627AF848C84B41FAC29E7DAE98A33FECF0FF9424 | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\NEW_ORDER.doc.LNK | lnk | |
MD5:7B17CA768443FBCE3F4FB01733DEF470 | SHA256:7CE720C16FF0FF6A425C099EE0B98F5A9561F1627250BD02C3BE01F82CBE86C7 | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:38B9FF26762C804D3348780B91DAC904 | SHA256:D1D4F4A73C72074B9C362210F93725193D27AE42C8A0C64EB4FEB4205DF2CF2A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3212 | EQNEDT32.EXE | GET | 200 | 194.180.224.87:80 | http://abass.ir/simonxz/simonxz.exe | unknown | executable | 867 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3212 | EQNEDT32.EXE | 194.180.224.87:80 | abass.ir | — | — | malicious |
2860 | simonyi4536.exe | 199.79.63.24:587 | bh-58.webhostbox.net | PDR | US | malicious |
Domain | IP | Reputation |
---|---|---|
abass.ir |
| whitelisted |
bh-58.webhostbox.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3212 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2860 | simonyi4536.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2860 | simonyi4536.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
2860 | simonyi4536.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
2860 | simonyi4536.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
2860 | simonyi4536.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2860 | simonyi4536.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
2860 | simonyi4536.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
2860 | simonyi4536.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |