File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/e56a0d15-731c-4f1c-aa30-149abfdc7455 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 06:39:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | AA7C9DBE460CA0AAEBF5EE179506835E |
SHA1: | 99ACBE9B52C2DCB90D7E614C5141799C47D80828 |
SHA256: | 5E4DC6CA3E098A492D3F68A354996E8E93BA7D21E1225E06745234140C9E600A |
SSDEEP: | 96:iXw4mvvBmwrXvk9ck1yTiiOSrS4EAUhOgEIhSaMTH4:o4Ps9cUWS4EAsO/Ikp4 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3532 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3956 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3596 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3772 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | malik.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRABE0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3772 | malik.exe | C:\Users\admin\AppData\Local\Temp\636989460260453750_78bfdca6-c8e7-410f-88be-f02e61769c07.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3532 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F2DE1431816F1A887F11E37F0E5B78C1 | SHA256:AC75C28502BA69F35891655C9ADFC2B4C73730F00CE0F6C22519E9B5B48762BD | |||
3956 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\malik.exe | executable | |
MD5:FF240E045FC9ADF6E2F3A2589C5D79CB | SHA256:D003AA5C32917095F339B80979AC0958DE072FFDF2E8DE6AB9B30090989BBA78 | |||
3956 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dj[1].exe | executable | |
MD5:FF240E045FC9ADF6E2F3A2589C5D79CB | SHA256:D003AA5C32917095F339B80979AC0958DE072FFDF2E8DE6AB9B30090989BBA78 | |||
3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.doc | pgc | |
MD5:2CFF9C492FDBBFDF2613E0F61F7491E7 | SHA256:CACB76F9533A10000D870A4797FDAACA9B064BEEED7AC2752816F95B52CAF243 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3956 | EQNEDT32.EXE | GET | 200 | 66.70.251.111:80 | http://garciaikoplesver.net/dj/dj.exe | CA | executable | 704 Kb | suspicious |
3772 | malik.exe | GET | 200 | 34.233.102.38:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3772 | malik.exe | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3956 | EQNEDT32.EXE | 66.70.251.111:80 | garciaikoplesver.net | OVH SAS | CA | suspicious |
3772 | malik.exe | 43.225.55.205:587 | mail.hindlab.com | PDR | AE | malicious |
Domain | IP | Reputation |
---|---|---|
garciaikoplesver.net |
| suspicious |
mail.hindlab.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3956 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3956 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3772 | malik.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3772 | malik.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |