File name: | AQUILAR INDUSTRIAS METALICAS- SOLICITUD URGENTE DE PRESUPUESTO 11022019.xlsx |
Full analysis: | https://app.any.run/tasks/79ef70cb-1819-4808-8d2e-60fad1e6232a |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | February 11, 2019, 11:16:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 93CC2216625D75F42330FBE6DD40B3EC |
SHA1: | 1C34CFA7A39EF051AFDB48BAED96F9CDA077B16A |
SHA256: | A6C9A7A3B2D3875ACD4131AE7888A6A8A2BB0E805C523C355C2E7AF697DB92AB |
SSDEEP: | 3072:H3TIrkhBLJppBXy1Q35WAGR7mBPZRu9qD+Cn0U/VvqP30t4HvsXFI4ee:HErGFJNi1Q3ei9ZRuqDb0U/VvqctcvsD |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2756 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2812 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2676 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | vbc.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6AB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2756 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:05B81ACCA6AECB7B4D609E3A7EF043F9 | SHA256:49B9604F746102FEF8FC7D846D7ECDFA9334A0DF6C3C92B81B2F4DB64BE59581 | |||
2756 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\adobe[1].exe | executable | |
MD5:05B81ACCA6AECB7B4D609E3A7EF043F9 | SHA256:49B9604F746102FEF8FC7D846D7ECDFA9334A0DF6C3C92B81B2F4DB64BE59581 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2756 | EQNEDT32.EXE | GET | 200 | 23.249.163.110:80 | http://23.249.163.110/microsoft/excel/adobe.exe | US | executable | 736 Kb | suspicious |
2676 | vbc.exe | GET | 200 | 216.146.43.71:80 | http://checkip.dyndns.org/ | US | html | 106 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2756 | EQNEDT32.EXE | 23.249.163.110:80 | — | ColoCrossing | US | suspicious |
2676 | vbc.exe | 77.246.188.128:587 | mail.essentiarestaurante.com | Mba Datacenters S.l. | ES | malicious |
2676 | vbc.exe | 216.146.43.71:80 | checkip.dyndns.org | Dynamic Network Services, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
checkip.dyndns.org |
| shared |
mail.essentiarestaurante.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2756 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2756 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2756 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2756 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2756 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2756 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
2676 | vbc.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
2676 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla) |
2676 | vbc.exe | Potentially Bad Traffic | ET POLICY DynDNS CheckIp External IP Address Server Response |