analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Intldvigmefzc_Cop.doc

Full analysis: https://app.any.run/tasks/c81c460b-847c-487a-94cd-f60a4f0df8b9
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 19:54:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
stealer
agenttesla
trojan
formbook
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

2D38C831449AD31D3A58592FA4142F0B

SHA1:

7C6FC38004AA455B2B3E7B5D6A58154E3283833F

SHA256:

51F9B61A7735FE1551FFFBED05E8D6A969C6D5E072849AAA5522C8EB06030BEF

SSDEEP:

12288:ZiEUeRxtMFuzqgU1lR89w9Ki3fLMjrLZ9yt6hzIkJ1Be04mFRep77V6Z2xt8l:ZFUAMF63qD8yU0fLMu8JIkJ+iF4V6UfK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2212)
      • mroutputroj4737.com (PID: 788)
      • mroutputroj4737.com (PID: 1268)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3624)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3624)

    • AGENTTESLA detected

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2212)

    • Actions looks like stealing of personal data

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2212)
      • NAPSTAT.EXE (PID: 3784)

    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • NAPSTAT.EXE (PID: 3784)
      • Firefox.exe (PID: 2392)

    • Changes the autorun value in the registry

      • NAPSTAT.EXE (PID: 3784)

    • Connects to CnC server

      • explorer.exe (PID: 352)

    • Stealing of credential data

      • NAPSTAT.EXE (PID: 3784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mroutputroj4737.com (PID: 788)
      • EQNEDT32.EXE (PID: 3624)

    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3624)
      • mroutputroj4737.com (PID: 1268)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3624)
      • NAPSTAT.EXE (PID: 3784)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3932)
      • EQNEDT32.EXE (PID: 3624)

    • Application launched itself

      • mroutputroj4737.com (PID: 1268)

    • Starts CMD.EXE for commands execution

      • NAPSTAT.EXE (PID: 3784)

    • Loads DLL from Mozilla Firefox

      • NAPSTAT.EXE (PID: 3784)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2172)
      • Firefox.exe (PID: 2392)

    • Manual execution by user

      • autoconv.exe (PID: 2660)
      • WINWORD.EXE (PID: 4060)
      • autoconv.exe (PID: 2772)
      • verclsid.exe (PID: 2892)
      • NAPSTAT.EXE (PID: 3784)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4060)
      • WINWORD.EXE (PID: 2172)

    • Reads the hosts file

      • NAPSTAT.EXE (PID: 3784)

    • Reads settings of System Certificates

      • MR.FESTUS ORIGIN RAWFILE.exe (PID: 2212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
14
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe verclsid.exe no specs winword.exe no specs eqnedt32.exe mroutputroj4737.com no specs mroutputroj4737.com #AGENTTESLA mr.festus origin rawfile.exe autoconv.exe no specs autoconv.exe no specs #FORMBOOK napstat.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Intldvigmefzc_Cop.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3932"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2892"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Intldvigmefzc_Cop.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3624"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1268"C:\Users\admin\AppData\Roaming\mroutputroj4737.com"C:\Users\admin\AppData\Roaming\mroutputroj4737.comEQNEDT32.EXE
User:
admin
Company:
prj4___Supe4
Integrity Level:
MEDIUM
Description:
prj4___Supe4
Exit code:
0
Version:
6.06.0008
788"C:\Users\admin\AppData\Roaming\mroutputroj4737.com"C:\Users\admin\AppData\Roaming\mroutputroj4737.com
mroutputroj4737.com
User:
admin
Company:
prj4___Supe4
Integrity Level:
MEDIUM
Description:
prj4___Supe4
Exit code:
0
Version:
6.06.0008
2212"C:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exe" C:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exe
mroutputroj4737.com
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
2660"C:\Windows\System32\autoconv.exe"C:\Windows\System32\autoconv.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772"C:\Windows\System32\autoconv.exe"C:\Windows\System32\autoconv.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Auto File System Conversion Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 219
Read events
2 452
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
78
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA9A8.tmp.cvr
MD5:
SHA256:
2172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CF735F48-CB65-4BB1-89F3-B64CC4972684}.tmp
MD5:
SHA256:
2172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39DCD18-3F71-4C41-BC7C-8C57C01A2BCE}.tmp
MD5:
SHA256:
4060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD4F.tmp.cvr
MD5:
SHA256:
2172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D3E45E9E34C71A48C10FD945E9620BAF
SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F
788mroutputroj4737.comC:\Users\admin\MR.FESTUS ORIGIN RAWFILE.exeexecutable
MD5:2BB3E1663EC6DFB78F9574559E331BE1
SHA256:C898CD3EF82837832268CE20D9DD354C3B8C85803AEC9A591D6A9A0EBE69CFF8
3624EQNEDT32.EXEC:\Users\admin\AppData\Roaming\mroutputroj4737.comexecutable
MD5:9D75446EE972C262B11A84A7E78C18AA
SHA256:E5BA5561A595F111ED5EBFC11CE700B12F0736BEAB9638ACD2403C35620D68FD
2172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8E7C4E4A-3096-4CBD-AAE0-E084289DABF5}.tmpbinary
MD5:0A50F85ADB694C0A5BDED259DAD76A88
SHA256:E61E62B44B85C06D8E6BDDB7F9AFA42DE64526D740C7E5B045EEF66703BF84D7
3784NAPSTAT.EXEC:\Users\admin\AppData\Roaming\1NP-10-A\1NPlogrc.inibinary
MD5:6A2D8FD600948CEFEA9C615AF9607BD5
SHA256:8A8A84891ECB2032320D1C0DE99FDCD94100DF10F352D9F96FD1B2433CD4D45B
2212MR.FESTUS ORIGIN RAWFILE.exeC:\Users\admin\AppData\Local\Temp\06abc01b-dc19-4b74-9fae-ff4a2d07f58bsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
16
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
404
211.149.138.87:80
http://www.scjiaoyuwang.com/s0s/?ARrx=oNLLEs6gns8/nYjFA2pfOarYeivZROzH5GNw9vN0cZ/upd8UgUyaMrBeFye05D3AS0SlQQ==&kDql=uXTpgPWx5&sql=1
CN
malicious
352
explorer.exe
POST
211.149.138.87:80
http://www.scjiaoyuwang.com/s0s/
CN
malicious
3624
EQNEDT32.EXE
GET
200
162.144.128.116:80
http://dubem.top/templ/MR_output1AF2EE0.exe
US
executable
1000 Kb
malicious
352
explorer.exe
GET
50.63.202.54:80
http://www.miamilakesholistictherapy.com/s0s/?ARrx=7dCGkfN753CqEzFOj0FfDmX1N0/cMErS+a4+kHTx2hMdMxVVJ39bszixn68ZZR7XP6KD9A==&kDql=uXTpgPWx5&sql=1
US
malicious
352
explorer.exe
POST
211.149.138.87:80
http://www.scjiaoyuwang.com/s0s/
CN
malicious
352
explorer.exe
POST
50.63.202.54:80
http://www.miamilakesholistictherapy.com/s0s/
US
malicious
352
explorer.exe
GET
404
198.54.112.75:80
http://www.veroxin.com/s0s/?ARrx=XRfKtVzRu9gnpn6s9wr01LIm7iyvzn/+19OH8TwzRpgW1L/sUsCxlwkfUlEP59usubtTTQ==&kDql=uXTpgPWx5
US
html
327 b
malicious
352
explorer.exe
POST
211.149.138.87:80
http://www.scjiaoyuwang.com/s0s/
CN
malicious
352
explorer.exe
POST
217.160.0.78:80
http://www.artecesped.com/s0s/
DE
malicious
352
explorer.exe
POST
217.160.0.78:80
http://www.artecesped.com/s0s/
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
MR.FESTUS ORIGIN RAWFILE.exe
208.91.198.143:587
us2.smtp.mailhostbox.com
PDR
US
shared
3624
EQNEDT32.EXE
162.144.128.116:80
dubem.top
Unified Layer
US
malicious
3932
EQNEDT32.EXE
162.144.128.116:80
dubem.top
Unified Layer
US
malicious
217.160.0.78:80
www.artecesped.com
1&1 Internet SE
DE
malicious
352
explorer.exe
198.54.112.75:80
www.veroxin.com
Namecheap, Inc.
US
malicious
352
explorer.exe
211.149.138.87:80
www.scjiaoyuwang.com
CHINANET SiChuan Telecom Internet Data Center
CN
malicious
352
explorer.exe
217.160.0.78:80
www.artecesped.com
1&1 Internet SE
DE
malicious
352
explorer.exe
50.63.202.54:80
www.miamilakesholistictherapy.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
dubem.top
  • 162.144.128.116
unknown
us2.smtp.mailhostbox.com
  • 208.91.198.143
  • 208.91.199.224
  • 208.91.199.223
  • 208.91.199.225
shared
www.wlgj66.com
unknown
www.ibericoargentino.com
unknown
www.www997789.com
unknown
www.borespanda.com
unknown
www.veroxin.com
  • 198.54.112.75
malicious
www.scjiaoyuwang.com
  • 211.149.138.87
malicious
www.simbascfans.com
unknown
www.artecesped.com
  • 217.160.0.78
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3624
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3624
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3624
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3624
EQNEDT32.EXE
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2212
MR.FESTUS ORIGIN RAWFILE.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Intldvigmefzc_Cop.doc