File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/4d94c78c-16b9-4eb7-95f8-81e703bf9e7a |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 06:36:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | AA7C9DBE460CA0AAEBF5EE179506835E |
SHA1: | 99ACBE9B52C2DCB90D7E614C5141799C47D80828 |
SHA256: | 5E4DC6CA3E098A492D3F68A354996E8E93BA7D21E1225E06745234140C9E600A |
SSDEEP: | 96:iXw4mvvBmwrXvk9ck1yTiiOSrS4EAUhOgEIhSaMTH4:o4Ps9cUWS4EAsO/Ikp4 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3488 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3300 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3676 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | malik.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB9BB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:10D5D2EE19E3C9B5A395D5325EF65E31 | SHA256:C61AC56F59D30F6AFEE6A9A9ECA6E3F5A53173CE5762FBD464269BB7C915DF7A | |||
3676 | malik.exe | C:\Users\admin\AppData\Local\Temp\636989458286033750_9a1046b1-d754-4447-839b-c60abc7b57a7.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.doc | pgc | |
MD5:070CBB1212E758D032E6444565794586 | SHA256:C76AA570DF9A8C5BA67DF6569072A1FC9A42F6FB6309B307C0BE0CE13F1D4CA9 | |||
3488 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dj[1].exe | executable | |
MD5:FF240E045FC9ADF6E2F3A2589C5D79CB | SHA256:D003AA5C32917095F339B80979AC0958DE072FFDF2E8DE6AB9B30090989BBA78 | |||
3488 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\malik.exe | executable | |
MD5:FF240E045FC9ADF6E2F3A2589C5D79CB | SHA256:D003AA5C32917095F339B80979AC0958DE072FFDF2E8DE6AB9B30090989BBA78 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3676 | malik.exe | GET | 200 | 52.206.161.133:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3676 | malik.exe | 43.225.55.205:587 | mail.hindlab.com | PDR | AE | malicious |
3488 | EQNEDT32.EXE | 66.70.251.111:80 | garciaikoplesver.net | OVH SAS | CA | suspicious |
3676 | malik.exe | 52.206.161.133:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
garciaikoplesver.net |
| suspicious |
mail.hindlab.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3488 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3488 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3676 | malik.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |