analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

request for quotation.doc

Full analysis: https://app.any.run/tasks/c913f4fe-dddd-4e9e-9ea4-d44d3e933ffd
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: April 25, 2019, 09:25:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
keylogger
stealer
agenttesla
evasion
trojan
rat
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

893409D70E8324046C0DAC58CD41BD90

SHA1:

E4E16990617B15FFCB41736CA858012E9481FD29

SHA256:

A622F169FB03BF1D979A6BAD1303648B56BD93D1B9421D606A7939AC61BFAE60

SSDEEP:

96:Crp00Rv/EKMpjvF8xz4Z3gRP9MY43swBe+9:CLyppzZ3gmY48Ce+9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lojmnvdfghjk.com (PID: 2280)
      • lojmnvdfghjk.com (PID: 4032)
    • Detected AgentTesla Keylogger

      • lojmnvdfghjk.com (PID: 4032)
    • Changes the autorun value in the registry

      • lojmnvdfghjk.com (PID: 4032)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1216)
    • Actions looks like stealing of personal data

      • lojmnvdfghjk.com (PID: 4032)
    • Changes settings of System certificates

      • lojmnvdfghjk.com (PID: 4032)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1216)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1216)
    • Application launched itself

      • lojmnvdfghjk.com (PID: 2280)
    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 1216)
      • lojmnvdfghjk.com (PID: 2280)
    • Adds / modifies Windows certificates

      • lojmnvdfghjk.com (PID: 4032)
    • Checks for external IP

      • lojmnvdfghjk.com (PID: 4032)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2172)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe lojmnvdfghjk.com no specs #AGENTTESLA lojmnvdfghjk.com

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\request for quotation.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1216"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2280"C:\Users\admin\AppData\Local\Temp\lojmnvdfghjk.com"C:\Users\admin\AppData\Local\Temp\lojmnvdfghjk.comEQNEDT32.EXE
User:
admin
Company:
noyading
Integrity Level:
MEDIUM
Description:
mermithogyne4
Exit code:
0
Version:
1.03.0008
4032C:\Users\admin\AppData\Local\Temp\lojmnvdfghjk.com"C:\Users\admin\AppData\Local\Temp\lojmnvdfghjk.com
lojmnvdfghjk.com
User:
admin
Company:
noyading
Integrity Level:
MEDIUM
Description:
mermithogyne4
Version:
1.03.0008
Total events
1 203
Read events
816
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2E60.tmp.cvr
MD5:
SHA256:
1216EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\deck[1].jpgexecutable
MD5:5CB3EC293338CBD8A6CAD6A7C651F2C7
SHA256:19D28E0D164FE33B7E8AE76081FF547851D1E61A59451794C9D9B7838667E353
1216EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\lojmnvdfghjk.comexecutable
MD5:5CB3EC293338CBD8A6CAD6A7C651F2C7
SHA256:19D28E0D164FE33B7E8AE76081FF547851D1E61A59451794C9D9B7838667E353
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$quest for quotation.doc.rtfpgc
MD5:559878B1AC128A572850A527AD6B41B6
SHA256:CE7FD0EC81E1A36C36B7E37ED001236F0F9D6880CC15B53CA3FD53B3F3E1AD7D
2172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E
SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47
1216EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4032
lojmnvdfghjk.com
GET
200
18.211.215.84:80
http://checkip.amazonaws.com/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1216
EQNEDT32.EXE
112.213.89.40:443
tfvn.com.vn
SUPERDATA
VN
malicious
4032
lojmnvdfghjk.com
18.211.215.84:80
checkip.amazonaws.com
US
shared
4032
lojmnvdfghjk.com
198.54.122.60:587
mail.privateemail.com
Namecheap, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
tfvn.com.vn
  • 112.213.89.40
unknown
mail.privateemail.com
  • 198.54.122.60
shared
checkip.amazonaws.com
  • 18.211.215.84
  • 52.200.125.74
  • 52.6.79.229
  • 34.233.102.38
  • 52.206.161.133
  • 52.202.139.131
shared

Threats

PID
Process
Class
Message
4032
lojmnvdfghjk.com
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
4032
lojmnvdfghjk.com
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
3 ETPRO signatures available at the full report
No debug info