File name: | 07_09_19 _11_42_44_gelenmail.doc |
Full analysis: | https://app.any.run/tasks/3368c697-1bb3-4a45-bb3b-96ace709b684 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | July 11, 2019, 16:39:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 6FF7F083AB1EBC9E1BB789D6C46E5B83 |
SHA1: | 083A00A32CEA6F65ED4B2B69E0B75EDB84E6C50F |
SHA256: | 76D14D6BF06D167349029523B223ADAACB7A612CBCC318D58ECE849A9C59A944 |
SSDEEP: | 96:vism2xPbdVMx0V9UIaV2FIIFAgUF1XwOermejQHLNK2S:RjwyV9U70RUF1Xi4JK/ |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\07_09_19 _11_42_44_gelenmail.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3496 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3168 | "C:\Users\admin\AppData\Roaming\wyval.exe" | C:\Users\admin\AppData\Roaming\wyval.exe | EQNEDT32.EXE | |
User: admin Company: How, Inc Integrity Level: MEDIUM Description: Free YouTube Downloader Setup Program Version: 595.15.459.905 | ||||
3232 | "C:\Users\admin\AppData\Roaming\wyval.exe" | C:\Users\admin\AppData\Roaming\wyval.exe | wyval.exe | |
User: admin Company: How, Inc Integrity Level: MEDIUM Description: Free YouTube Downloader Setup Program Version: 595.15.459.905 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2900 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR37E2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3232 | wyval.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:60284BD9DCE79E09048DCD6D7B0D7BAE | SHA256:3DD3365B2EE5CACAEFC3EEF96AF0768C4052B2464377780FC12A20BFD78251BF | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:88B517298A6A675B59751F471E8BD9E7 | SHA256:1FB840147883289F06B49D8157E308EAA53DE97AC4D5A5D864B4DD1E305ABAC5 | |||
2900 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_09_19 _11_42_44_gelenmail.doc.rtf | pgc | |
MD5:B20EC745F8E0A7F52D013F0A635E9FA5 | SHA256:D732BA845CA7D6AB10391EDC767B6F46156AF5E41CD28772E5D566EFC85BC6B8 | |||
3168 | wyval.exe | C:\Users\Public\bKqoAfTmyH.vbs | text | |
MD5:4B209483968C3A9D3DA0C157104D713E | SHA256:10543CD0CAF93A0BCCA949DC808B431B5C1E30EC98650D5F243D65180DC90382 | |||
3496 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ca[1].exe | executable | |
MD5:F7661B5B561CC67DABE2FF706704D0CC | SHA256:39EE9CE6D225D0464A5A80760993B22C151E60DAA128CA832C7CBC3A8705117A | |||
3496 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\wyval.exe | executable | |
MD5:F7661B5B561CC67DABE2FF706704D0CC | SHA256:39EE9CE6D225D0464A5A80760993B22C151E60DAA128CA832C7CBC3A8705117A | |||
3168 | wyval.exe | C:\Users\admin\wydad\vcasehdndbnseb.bat | executable | |
MD5:0FF7B809CC797B91AA775A48FF90B68F | SHA256:14DEC20B99F4DB1114EC1A44F03EDACE45C4D94938AD38C158E007530FA2FE63 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3496 | EQNEDT32.EXE | GET | 200 | 167.114.113.137:80 | http://ca.fakesemoca16.com/ca.exe | CA | executable | 1.22 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 178.239.21.3:8234 | cazt01money.ddns.net | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | malicious |
3232 | wyval.exe | 178.239.21.3:8234 | cazt01money.ddns.net | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | malicious |
3496 | EQNEDT32.EXE | 167.114.113.137:80 | ca.fakesemoca16.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
ca.fakesemoca16.com |
| suspicious |
cazt01money.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3496 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3496 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |