File name: | Maersk COVID -19 update.xlsx |
Full analysis: | https://app.any.run/tasks/50fefae3-86a8-463f-b73f-30b4578255fb |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | March 31, 2020, 02:16:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | D35271297FB00127721091FF9346FA4C |
SHA1: | F274A972D5B3B20824DDA70089AFCE0E059BA500 |
SHA256: | 479BFB01CD7BBD71CD2CE16CFDB25CF03F205A29CDE830F68D16D6A5994E107F |
SSDEEP: | 12288:K10mlPrj3Dlp6szuispU1plzJrfSgEV3Ms4C4dJy0mky8nCNLRx8SE5uS4vw:rC/zlp6U/lagEV34HdJy0mPeV9uS4vw |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2524 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2420 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
608 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: Appointment Exit code: 0 Version: 1.0.0.0 | ||||
3624 | "{path}" | C:\Users\admin\AppData\Roaming\vbc.exe | vbc.exe | |
User: admin Integrity Level: MEDIUM Description: Appointment Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C8D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3624 | vbc.exe | C:\Users\admin\AppData\Roaming\haa05ofe.fe2\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
3624 | vbc.exe | C:\Users\admin\AppData\Roaming\haa05ofe.fe2\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
2420 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\vbc[1].exe | executable | |
MD5:B65B4DDC485EEEFD8DF48D48C8EB4F40 | SHA256:2142D5C4EEA4DCC71410E5158D0B8984E84C7E6B7B2B664F66DD5FB4D0199E5B | |||
2420 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\vbc.exe | executable | |
MD5:B65B4DDC485EEEFD8DF48D48C8EB4F40 | SHA256:2142D5C4EEA4DCC71410E5158D0B8984E84C7E6B7B2B664F66DD5FB4D0199E5B | |||
3624 | vbc.exe | C:\Users\admin\AppData\Roaming\haa05ofe.fe2.zip | compressed | |
MD5:2AC3906E24DDA2D0B6CC3286F67553A1 | SHA256:A245A9AF77DC5124B9C235A6F4AD05B5DEAD99C01E2182EA65D02DE0F8B7C9F1 | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AA11974.emf | emf | |
MD5:9DBC4E90F367DF7508C707F6806E8DCA | SHA256:78C2466C6539C3C9AECC57DD4B2EA6303724EEAEF9925FC568C6DA8FC6EFDE19 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2420 | EQNEDT32.EXE | GET | 200 | 109.169.89.118:80 | http://easydatatransfercleansystemprofessional.duckdns.org/intel/vbc.exe | GB | executable | 434 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3624 | vbc.exe | 208.91.199.224:587 | smtp.kushpetroleurn.net | PDR | US | shared |
2420 | EQNEDT32.EXE | 109.169.89.118:80 | easydatatransfercleansystemprofessional.duckdns.org | iomart Cloud Services Limited. | GB | malicious |
Domain | IP | Reputation |
---|---|---|
easydatatransfercleansystemprofessional.duckdns.org |
| malicious |
smtp.kushpetroleurn.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2420 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2420 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3624 | vbc.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3624 | vbc.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3624 | vbc.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
3624 | vbc.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3624 | vbc.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3624 | vbc.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3624 | vbc.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |