analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MT 103-88604.xlsm

Full analysis: https://app.any.run/tasks/8351edfd-267b-4d23-80a2-eeffed2c4692
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 07:03:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
evasion
trojan
rat
agenttesla
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

1D67DDADADB4BEB888A10F31D2E2BA18

SHA1:

5EF223C771B286D5AC6A8E54C2986B437E214266

SHA256:

4A276D9EBD099D3BADAF93E66249189181C1505EAFECE970AAC578AD46CF210A

SSDEEP:

768:sXO9Emue6c4VWO5nvc7BiTO/g2N3jIAWeLmOwLRikGPVFyr:/9oPc4V75E79g2FEAjLmOw1sVu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3600)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3600)

    • Application was dropped or rewritten from another process

      • nameX.exe (PID: 3228)

    • AGENTTESLA was detected

      • nameX.exe (PID: 3228)

    • Actions looks like stealing of personal data

      • nameX.exe (PID: 3228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3600)

    • Creates files in the program directory

      • EQNEDT32.EXE (PID: 3600)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3600)

    • Checks for external IP

      • nameX.exe (PID: 3228)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2940)
      • EXCEL.EXE (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:04:25 00:30:02
ZipCRC: 0xab2e58ef
ZipCompressedSize: 538
ZipUncompressedSize: 3979
ZipFileName: [Content_Types].xml

XML

ContentTypeId: 0x01010079F111ED35F8CC479449609E8A0923A6
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 2
TitlesOfParts:
  • Start
  • Personal Monthly Budget
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
LastModifiedBy: -
CreateDate: 2019:03:18 20:41:36Z
ModifyDate: 2019:04:24 16:18:04Z

XMP

Creator: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs explorer.exe no specs excel.exe no specs eqnedt32.exe #AGENTTESLA namex.exe

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3288"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2940"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3600"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3228C:\ProgramData\nameX.exeC:\ProgramData\nameX.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Total events
979
Read events
895
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRFE5D.tmp.cvr
MD5:
SHA256:
2700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$MT 103-88604.xlsm.xlsx
MD5:
SHA256:
2940EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8204.tmp.cvr
MD5:
SHA256:
3600EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3600EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\obi9[1].exeexecutable
MD5:A6FC0D831B261F9C5370B7BEE1CE801F
SHA256:079A54CA364A6934F822CF2E965E0D1B0FEF21C6BAEF2FE8B09E31E36261B6C4
3600EQNEDT32.EXEC:\ProgramData\nameX.exeexecutable
MD5:A6FC0D831B261F9C5370B7BEE1CE801F
SHA256:079A54CA364A6934F822CF2E965E0D1B0FEF21C6BAEF2FE8B09E31E36261B6C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3600
EQNEDT32.EXE
GET
200
185.224.138.123:80
http://ultimateviel.esy.es/new/obi9.exe
unknown
executable
278 Kb
suspicious
3228
nameX.exe
GET
200
52.206.161.133:80
http://checkip.amazonaws.com/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3600
EQNEDT32.EXE
185.224.138.123:80
ultimateviel.esy.es
suspicious
3228
nameX.exe
52.206.161.133:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3228
nameX.exe
208.91.199.223:587
smtp.gpbocsh.com
PDR
US
shared

DNS requests

Domain
IP
Reputation
ultimateviel.esy.es
  • 185.224.138.123
suspicious
smtp.gpbocsh.com
  • 208.91.199.223
  • 208.91.199.225
  • 208.91.199.224
  • 208.91.198.143
malicious
checkip.amazonaws.com
  • 52.206.161.133
  • 34.233.102.38
  • 18.211.215.84
  • 52.200.125.74
  • 52.202.139.131
  • 52.6.79.229
shared

Threats

PID
Process
Class
Message
3600
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3600
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3228
nameX.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3228
nameX.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3228
nameX.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MT 103-88604.xlsm