File name: | 2e03f96ac52250b21bed4cda63bc1d7d8a12e5182a4eae59fc1e894423283f01.doc |
Full analysis: | https://app.any.run/tasks/89d12a6d-1b09-4f39-bcc5-4cf88820d8e9 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | May 15, 2019, 07:37:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Black Panther, Template: Normal.dotm, Last Saved By: doggy, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Tue May 14 22:15:00 2019, Last Saved Time/Date: Tue May 14 22:46:00 2019, Number of Pages: 1, Number of Words: 17, Number of Characters: 103, Security: 0 |
MD5: | A80AF34921C58947921B109EC1DC0094 |
SHA1: | B4E719FC583BC9EF8ED63BCAFB2B615AEAACC940 |
SHA256: | 2E03F96AC52250B21BED4CDA63BC1D7D8A12E5182A4EAE59FC1E894423283F01 |
SSDEEP: | 12288:kDquErHF6xC9D6DmR1J98w4oknqO/CyQf4TblfS3rygecr82yVLTASC/:prl6kD68JmlokQf4PlabygHyVLTAP/ |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | Microsoft Office Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 39 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CharCountWithSpaces: | 119 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 103 |
Words: | 17 |
Pages: | 1 |
ModifyDate: | 2019:05:14 21:46:00 |
CreateDate: | 2019:05:14 21:15:00 |
TotalEditTime: | 3.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 5 |
LastModifiedBy: | doggy |
Template: | Normal.dotm |
Keywords: | - |
Author: | Black Panther |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2464 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\2e03f96ac52250b21bed4cda63bc1d7d8a12e5182a4eae59fc1e894423283f01.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
896 | "C:\Users\admin\AppData\Local\Temp\Quotation.exe" | C:\Users\admin\AppData\Local\Temp\Quotation.exe | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1264 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Quotation.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR53D9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:1BBE319A3189CEA266C1F1FC7C1F10D4 | SHA256:657A2AFDE4A757408D9C656FDA064EEAAA1B3A5C24E4326C67D88AE17A88518E | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Quotation.exe | executable | |
MD5:CDC08A162A3331DCB68E9CB8FE099143 | SHA256:591F350DBF69C064C1A5AE676722CF578A4DCE8155E9BEB7B4A70AF84DF63A5E | |||
2464 | WINWORD.EXE | C:\Users\admin\Desktop\~$03f96ac52250b21bed4cda63bc1d7d8a12e5182a4eae59fc1e894423283f01.doc | pgc | |
MD5:CDDC92F836CDB72D3FB86916713236EA | SHA256:EDD7CE9B4CCB0CA013099F4975AA7F75FD86014607F6204FAA131CB0C519163D | |||
896 | Quotation.exe | C:\Users\admin\sppsvc\windeploy.exe | executable | |
MD5:592C3FD99E92CBA5F1067258A54BC51C | SHA256:B61F79C859C2BE8FC461606E4A6DC33E7E88A739EC2C9FF983A49A2A115FC53F | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8ACBCA88.emf | emf | |
MD5:A551703EE42AF6344BFBD76E010D7F8A | SHA256:D9EEEA36D7A0295914A1AE24CC6BCE014F47B70E02C8322B89C5C553CA5BD802 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2e03f96ac52250b21bed4cda63bc1d7d8a12e5182a4eae59fc1e894423283f01.LNK | lnk | |
MD5:2414A1829A414BDEB71F104D2C9C84F9 | SHA256:04D1B2B5B06863F5825B1E775FFD1F573E15374A90C39FA6F230FBCE2866EE1F | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Quotation.exe:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1264 | RegAsm.exe | GET | 200 | 52.206.161.133:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1264 | RegAsm.exe | 52.206.161.133:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
1264 | RegAsm.exe | 198.54.125.159:26 | mail.sonofgraceoffice.website | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
mail.sonofgraceoffice.website |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1264 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
1264 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |