analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

#30717.doc

Full analysis: https://app.any.run/tasks/94bbb7b4-d5e0-47ff-86ca-fe9ec93d982b
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: December 02, 2019, 18:24:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
stealer
agenttesla
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

2D38C831449AD31D3A58592FA4142F0B

SHA1:

7C6FC38004AA455B2B3E7B5D6A58154E3283833F

SHA256:

51F9B61A7735FE1551FFFBED05E8D6A969C6D5E072849AAA5522C8EB06030BEF

SSDEEP:

12288:ZiEUeRxtMFuzqgU1lR89w9Ki3fLMjrLZ9yt6hzIkJ1Be04mFRep77V6Z2xt8l:ZFUAMF63qD8yU0fLMu8JIkJ+iF4V6UfK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2604)
      • mroutputroj4737.com (PID: 656)
      • mroutputroj4737.com (PID: 976)
    • AGENTTESLA detected

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2604)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3044)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3044)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3044)
    • Actions looks like stealing of personal data

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2604)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3044)
      • mroutputroj4737.com (PID: 976)
    • Starts CMD.EXE for commands execution

      • msdt.exe (PID: 2932)
    • Executable content was dropped or overwritten

      • mroutputroj4737.com (PID: 656)
      • EQNEDT32.EXE (PID: 3044)
    • Application launched itself

      • mroutputroj4737.com (PID: 976)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3044)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3044)
  • INFO

    • Manual execution by user

      • msdt.exe (PID: 2932)
    • Reads the hosts file

      • msdt.exe (PID: 2932)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1600)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe mroutputroj4737.com no specs mroutputroj4737.com #AGENTTESLA mr.festus origin rawfile.exe msdt.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1600"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\#30717.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3044"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
976"C:\Users\admin\AppData\Roaming\mroutputroj4737.com"C:\Users\admin\AppData\Roaming\mroutputroj4737.comEQNEDT32.EXE
User:
admin
Company:
prj4___Supe4
Integrity Level:
MEDIUM
Description:
prj4___Supe4
Exit code:
0
Version:
6.06.0008
656"C:\Users\admin\AppData\Roaming\mroutputroj4737.com"C:\Users\admin\AppData\Roaming\mroutputroj4737.com
mroutputroj4737.com
User:
admin
Company:
prj4___Supe4
Integrity Level:
MEDIUM
Description:
prj4___Supe4
Exit code:
0
Version:
6.06.0008
2604"C:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exe" C:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exe
mroutputroj4737.com
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
2932"C:\Windows\System32\msdt.exe"C:\Windows\System32\msdt.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3308/c del "C:\Users\admin\AppData\Roaming\mroutputroj4737.com"C:\Windows\System32\cmd.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 745
Read events
1 039
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
1600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB60C.tmp.cvr
MD5:
SHA256:
1600WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D3E45E9E34C71A48C10FD945E9620BAF
SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F
3044EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\MR_output1AF2EE0[1].exeexecutable
MD5:9D75446EE972C262B11A84A7E78C18AA
SHA256:E5BA5561A595F111ED5EBFC11CE700B12F0736BEAB9638ACD2403C35620D68FD
2604MR.FESTUS ORIGIN RAWFILE.exeC:\Users\admin\AppData\Local\Temp\567e3dc4-f0e5-4f19-981b-ac091f262424sqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3044EQNEDT32.EXEC:\Users\admin\AppData\Roaming\mroutputroj4737.comexecutable
MD5:9D75446EE972C262B11A84A7E78C18AA
SHA256:E5BA5561A595F111ED5EBFC11CE700B12F0736BEAB9638ACD2403C35620D68FD
656mroutputroj4737.comC:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exeexecutable
MD5:2BB3E1663EC6DFB78F9574559E331BE1
SHA256:C898CD3EF82837832268CE20D9DD354C3B8C85803AEC9A591D6A9A0EBE69CFF8
1600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$#30717.docpgc
MD5:2779365BF6E628B01846229811176135
SHA256:CC9E3A937E86A10B8D9F4D304FCDFBF6C39B3D0448B50BCFB4B5011CFB37CDC0
976mroutputroj4737.comC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
656mroutputroj4737.comC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
EQNEDT32.EXE
GET
200
162.144.128.116:80
http://dubem.top/templ/MR_output1AF2EE0.exe
US
executable
1000 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3044
EQNEDT32.EXE
162.144.128.116:80
dubem.top
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
dubem.top
  • 162.144.128.116
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3044
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3044
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3044
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3044
EQNEDT32.EXE
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2604
MR.FESTUS ORIGIN RAWFILE.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
1 ETPRO signatures available at the full report
No debug info