analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0 (18).eml

Full analysis: https://app.any.run/tasks/0180b929-596d-40b6-a283-4ffe8b269862
Verdict: Malicious activity
Analysis date: January 24, 2022, 18:51:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

5483BA0379A3C896100730A561BF0D3A

SHA1:

93EF67EF6BAE3B8AD1E26D9863F7D241309077ED

SHA256:

96B28F545491199E47FA840A4E44627D7875716D0F5FAF508926CA0592F8442F

SSDEEP:

1536:TsqqPKgz5GD8SJxc2EmZ1pmmstSZZg+z66J:iiCbSfOmU+1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3148)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3148)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3148)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3148)
    • Executed via COM

      • OUTLOOK.EXE (PID: 3472)
  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3472)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3472)
      • OUTLOOK.EXE (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0 (18).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3472"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
5 109
Read events
4 115
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE8CD.tmp.cvr
MD5:
SHA256:
3148OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3472OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRBE5.tmp.cvr
MD5:
SHA256:
3148OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:8B5EB846593234CBBD41E984B7789683
SHA256:EC936CC871F9E8486EF3389C34B5E32B538825B47D7CBF2BB5B7F36A7305E2E3
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:C695D9E72234414A914B5A8AA2F85AE9
SHA256:4EE6BDB7777890CFF482FAC75CFE637C58F20C68A966DA0DF1907C5F14FFD9DC
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94954A8.datimage
MD5:F7141E8297EF09B24A2543C4B5852B34
SHA256:898ABCC86C2BF46C06B75163630A37215588AA3BC9816F5C61B69D87F9463945
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_CFEF02B37C20724E916CB3E7D0997470.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1FEF5874.datimage
MD5:F7141E8297EF09B24A2543C4B5852B34
SHA256:898ABCC86C2BF46C06B75163630A37215588AA3BC9816F5C61B69D87F9463945
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_6CF295D2BADE744AA4C133547BBBF6DC.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3148OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FB9B5E5.datimage
MD5:5B803241712D3ACCFCC7F549CD00A7BC
SHA256:C0D934A4ED60ACD93F0B82AE59B059D4E9BCFB028C9CF31926068F61E4A76633
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3148
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info