File name: | 880c091a7dcaffc11511604e02cc91be59410401.xls |
Full analysis: | https://app.any.run/tasks/a5267910-b6b1-4dcb-8f58-2327ddc8d55a |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | March 21, 2019, 07:02:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: HP, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Mar 18 21:32:05 2019, Last Saved Time/Date: Mon Mar 18 21:36:02 2019, Security: 0 |
MD5: | 6C024C4190EF1C7C788AA0927A26F928 |
SHA1: | 880C091A7DCAFFC11511604E02CC91BE59410401 |
SHA256: | 243C496098768E220D7215E2AB0859A2A3463271E4E547B11CACAF4EB0349EE2 |
SSDEEP: | 6144:wk3hOdsylKlgryzc4bNhZF+E+W2knAtmf0LuW1:Yq |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | - |
---|---|
LastModifiedBy: | HP |
Software: | Microsoft Excel |
CreateDate: | 2019:03:18 21:32:05 |
ModifyDate: | 2019:03:18 21:36:02 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sheet1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
320 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
340 | "C:\Users\admin\AppData\Local\Temp\kdhgmf.exe" | C:\Users\admin\AppData\Local\Temp\kdhgmf.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Web Publishing Wizard executable Exit code: 0 Version: 6.1.33.0 | ||||
1516 | C:\Windows\system32\notepad.exe | C:\Windows\system32\notepad.exe | kdhgmf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
320 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR866D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
340 | kdhgmf.exe | C:\Users\admin\AppData\Local\Temp\Apple.bmp | — | |
MD5:— | SHA256:— | |||
320 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\file[1].exe | executable | |
MD5:4449D71C3A2404B4697A74024A66CC74 | SHA256:8871E63DB14D8A9E970E1FA2FC5A92FA0781F216FEA8F75DE7B57738603C7812 | |||
320 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\kdhgmf.exe | executable | |
MD5:4449D71C3A2404B4697A74024A66CC74 | SHA256:8871E63DB14D8A9E970E1FA2FC5A92FA0781F216FEA8F75DE7B57738603C7812 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1516 | notepad.exe | POST | 404 | 62.173.149.163:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | RU | html | 162 b | malicious |
1516 | notepad.exe | GET | 404 | 62.173.149.163:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | RU | html | 162 b | malicious |
1516 | notepad.exe | POST | 404 | 62.173.149.163:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | RU | html | 162 b | malicious |
1516 | notepad.exe | POST | 400 | 62.173.138.211:80 | http://benten07.futbolJ | RU | html | 166 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1516 | notepad.exe | 62.173.149.163:80 | benten07.futbol | JSC Internet-Cosmos | RU | malicious |
1516 | notepad.exe | 62.173.138.211:80 | benten07.futbol | JSC Internet-Cosmos | RU | malicious |
320 | EXCEL.EXE | 54.231.82.218:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
s3.amazonaws.com |
| shared |
benten07.futbol |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1516 | notepad.exe | A Network Trojan was detected | ET TROJAN Generic gate[.].php GET with minimal headers |
1516 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
1516 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
1516 | notepad.exe | A Network Trojan was detected | MALWARE [PTsecurity] KPOT Stealer Data Exfiltration |
1516 | notepad.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PNJ (KPOT Stealer) Exfiltration |
1516 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
1516 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |