analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/2debefe0-4522-4496-bba2-6cb52496dd71
Verdict: Malicious activity
Analysis date: May 20, 2022, 17:06:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

AFA64A06E10B06B02A90FBF4A0F8C290

SHA1:

B97E23AB5EA7BA63A223FFB8B23904E8F4E3F5A3

SHA256:

6ECF8FF6074DEFF578ED823AC058218E8BC41DC5EBDD09FCDDB7F70729A29D04

SSDEEP:

24576:hi/PkKtmICsbLEm6eLRuUHDvKC6KC37pVBKA2tk5KBpXKiB1bA74ocQ27XlRauGv:jWRu12AWBVQjGjaUSeu/Hh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2944)
      • vlc.exe (PID: 3768)

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2944)
      • vlc.exe (PID: 3768)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2944)
      • vlc.exe (PID: 3768)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 2944)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe vlc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3768"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\LXDIXIQ0\audio.mp3"C:\Program Files\VideoLAN\VLC\vlc.exe
OUTLOOK.EXE
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
3.0.11
Total events
10 569
Read events
9 978
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRDA3A.tmp.cvr
MD5:
SHA256:
2944OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2944OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:25AA296942565D1C59B685A081AFB367
SHA256:683172FE2E6A8DDC484152FC3A20AF05CD56179F345941E9E4D9B77FC845E46A
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmpDBC1.tmpbinary
MD5:6B452C27C644605E727DE9C86B92D5B7
SHA256:D2183DC899D91784BB8DD3D0C3C1DE8267FDC52B71F9C13BFF5CFC11D865B37B
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\LXDIXIQ0\audio.mp3mp3
MD5:845E4D01F02EABBD7AE368786C3CBBF4
SHA256:AD6815E5122B208CAE4CD7450A39B2AB6F5276BE05DC68F65A2A22C994F1D367
3768vlc.exeC:\Users\admin\AppData\Roaming\vlc\ml.xspf
MD5:
SHA256:
3768vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp3768ini
MD5:EEFD29F781ACDB1BEFD6B98B576B8CE5
SHA256:740D5CB34C2C92432D5FFCA3E2C5FC6B0F7D276844F6CD8CD46D2914A0497BAF
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:FB82572AAF9C4A7CD2D6563920D36505
SHA256:FEFFEE33B34650810EA491F7D8188A978AF09A99E9960809814899B8F43D8D40
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\LXDIXIQ0\audio (2).mp3mp3
MD5:845E4D01F02EABBD7AE368786C3CBBF4
SHA256:AD6815E5122B208CAE4CD7450A39B2AB6F5276BE05DC68F65A2A22C994F1D367
3768vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.iniini
MD5:EEFD29F781ACDB1BEFD6B98B576B8CE5
SHA256:740D5CB34C2C92432D5FFCA3E2C5FC6B0F7D276844F6CD8CD46D2914A0497BAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
Process
Message
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phish_alert_sp2_2.0.0.0.eml