analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fw 7172019 Your billing statement is ready 'Item No.568E05008RK20156.msg

Full analysis: https://app.any.run/tasks/bef33846-900e-4e64-8b47-4b8101b0caf3
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: July 17, 2019, 12:16:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

35A6516877ED7B68A55A533A122C19F4

SHA1:

2CAA305834DA1F752B08938B01F6567B52671F2B

SHA256:

94B8AD15A19A62D033D423653DEE052468EA9DD4018796E7BB67EA0D7700291C

SSDEEP:

1536:XgQXwRDfGiK4SE+gKv74awq1H+mZ5I5yXA/hV:Xg0wGiK4SE+gKv74awq1H+mZ5I5yXA/D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3848)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3848)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3848)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3848)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3824)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2284)
      • iexplore.exe (PID: 3504)
    • Creates files in the user directory

      • iexplore.exe (PID: 2284)
      • iexplore.exe (PID: 3824)
      • iexplore.exe (PID: 3504)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2284)
      • iexplore.exe (PID: 3504)
    • Application launched itself

      • iexplore.exe (PID: 3824)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3848)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3824)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3504)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3824)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3848"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Fw 7172019 Your billing statement is ready 'Item No.568E05008RK20156.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3824"C:\Program Files\Internet Explorer\iexplore.exe" http://daniel16-pokas-dvduvd.canoses.online/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2284"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3824 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3504"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3824 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 915
Read events
1 369
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
114
Unknown types
11

Dropped files

PID
Process
Filename
Type
3848OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF453.tmp.cvr
MD5:
SHA256:
3824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3824iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2284iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
2284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\google_com[1].txt
MD5:
SHA256:
3848OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:19482D55E27CC8B52BC9AB92E685E7B9
SHA256:82B19DDA7C2196D9D6D63214C26769CEEA7BB39B5A7751C816DBDFB7C1244932
2284iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[2].txttext
MD5:03AFC16F0CBECDC2BE54B8AF65DB60DE
SHA256:5B8834098CBD50115DB483AF1168B237B2789FC52705509F915369F15EF3BAA9
2284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:37F319E961DEB3A156FC2129BE3B3D86
SHA256:100E7C6638B36293E2E94CBF2AB04FDB575384A56FA38F660FC04B7789720609
2284iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:9F32A74606AEDF1738558C62812CE6C2
SHA256:83BE2FBDCFE835D884B9C61B52C6C3CA7DDE4B3BE41438F12655CE67FA4A9B52
2284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\google_com[1].htmhtml
MD5:BE5519CADBDAD3FA30D78652E883AB44
SHA256:511168A155A0E5DCB6B38D00DEBB52F780F0D3AC0B216026E164BCB35DAA435E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
57
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3848
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2284
iexplore.exe
GET
302
51.89.138.50:80
http://daniel16-pokas-dvduvd.canoses.online/
GB
malicious
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/31/25/cj,nj/4c7364c5/40e1b425.js
US
text
816 b
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/search?q=bbc+news&src=IE-SearchBox&FORM=IE8SRC
US
html
69.6 Kb
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/sa/simg/SharedSpriteDesktopRewards_022118.png
US
image
5.73 Kb
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/5m/cj,nj/c44ec255/9a358300.js?bu=EsMf5R-KH48f6gSbH50f8R-fH6Yfrx_dH9sfzB-7Hsgdyx2-Hg
US
text
4.95 Kb
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/5m/1o0/cj,nj/e90431ed/b2fe50be.js
US
text
171 b
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/th?id=OIP.aGxgSx2Hs0bxgLEP37ugfgHgFo:OIP.IkT1XVPQ2rV5JSC2UW2OKgHgFo:OIP.ZOW52WqJTa2uuu-teMlwpgHgFo:OIP.zZ5ytMdVFFell2qVFM8nPQHgFo:OIP.NtIXvV7Qw7JTGgMcx_J-nQHgFo:OIP.FcI0TzTvt9I-uyM9-UBflwHgFo&w=196&h=111&c=7&rs=1&qlt=80&pid=13.1&bw=3&bc=ffffff
US
image
42.5 Kb
whitelisted
3504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/6p/57/cj,nj/347afee2/33036ea1.js
US
text
1.77 Kb
whitelisted
3824
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3504
iexplore.exe
172.217.23.163:80
google.com.co
Google Inc.
US
whitelisted
3504
iexplore.exe
172.217.23.163:443
google.com.co
Google Inc.
US
whitelisted
172.217.23.163:80
google.com.co
Google Inc.
US
whitelisted
3824
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
172.217.23.163:443
google.com.co
Google Inc.
US
whitelisted
2284
iexplore.exe
51.89.138.50:80
daniel16-pokas-dvduvd.canoses.online
GB
malicious
2284
iexplore.exe
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
3848
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
3504
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
daniel16-pokas-dvduvd.canoses.online
  • 51.89.138.50
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google.com
  • 172.217.22.100
whitelisted
google.com.co
  • 172.217.23.163
whitelisted
www.google.com.co
  • 172.217.23.163
whitelisted
login.live.com
  • 40.90.23.209
  • 40.90.23.215
  • 40.90.23.153
whitelisted
aac39e9e7d0d092185e7e0fb41a926b8.clo.footprintdns.com
  • 40.86.215.224
unknown
c41646f309b350ea21b11c1265957a5f.clo.footprintdns.com
  • 13.107.6.163
suspicious
www.bbc.com
  • 52.57.238.9
  • 18.195.39.25
  • 52.57.128.175
whitelisted

Threats

PID
Process
Class
Message
2284
iexplore.exe
A Network Trojan was detected
ET TROJAN XLS.Unk DDE rar Drop Attempt (.online)
No debug info