File name: | scan_RFQ-BE3100.xlsx |
Full analysis: | https://app.any.run/tasks/ab27140f-47e2-4d42-bac7-6d35399bb544 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 06, 2019, 12:23:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 98F5B739247E5051A4964B469BC1ED4B |
SHA1: | 5A3A0B0ADF48173748E3B9AD31FAD56A0B57B12A |
SHA256: | 69FED657536E7E792031CF9D9CA05D38E8599317EA27F6E733AA309749D7BFB5 |
SSDEEP: | 24576:BEk1rkfwKSsrrB01BcR/rRSYG2JGEuUkobQqXWcAU7d8inmTYJ:BEKkYHqrlx8VGZ0qGlUhLBJ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2572 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2496 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
884 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Company: Rickard Johansson Integrity Level: MEDIUM Description: Supply Place Paid Apogee Version: 7.6.1.5 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAA73.tmp.cvr | — | |
MD5:— | SHA256:— | |||
884 | vbc.exe | C:\Users\admin\AppData\Local\Temp\74ae133c-e340-4f58-9b26-56d760ae1cd2 | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2496 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\vbc[1].exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E | |||
2496 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
884 | vbc.exe | 208.91.199.225:587 | us2.smtp.mailhostbox.com | PDR | US | shared |
2496 | EQNEDT32.EXE | 216.170.118.183:80 | globalsharesecurefilesgood.duckdns.org | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
globalsharesecurefilesgood.duckdns.org |
| malicious |
us2.smtp.mailhostbox.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2496 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2496 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |