File name: | ORDER_IMAGES_20108.doc |
Full analysis: | https://app.any.run/tasks/f3f8f236-2b64-47c5-8d5f-a202bca27449 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 03, 2019, 01:55:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 44281B04DCF54D55A03B06122C84B213 |
SHA1: | 3C9F42FA50771FA809EF71500000C3EEC449CAA4 |
SHA256: | AB418C1C6A61C01716F83FF7A2B042442DC12F04721E2787ABE7AF198EEE2803 |
SSDEEP: | 12288:oiEUeRxtMFuzqgU1lR89w9Ki3fLMjrLZ9yt6hzIkJ1Be04mFRep77V6Z2xtyR:oFUAMF63qD8yU0fLMu8JIkJ+iF4V6Uf6 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ORDER_IMAGES_20108.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2988 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2812 | "C:\Users\admin\AppData\Roaming\endyoj4729.com" | C:\Users\admin\AppData\Roaming\endyoj4729.com | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3636 | "C:\Users\admin\AppData\Roaming\endyuis\endyiop.exe" | C:\Users\admin\AppData\Roaming\endyuis\endyiop.exe | — | endyoj4729.com |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1596 | "C:\Users\admin\AppData\Roaming\endyuis\endyiop.exe" | C:\Users\admin\AppData\Roaming\endyuis\endyiop.exe | endyiop.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA94A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2812 | endyoj4729.com | C:\Users\admin\AppData\Roaming\endyuis\endyiop.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
1596 | endyiop.exe | C:\Users\admin\AppData\Roaming\ckd2xaiy.jtf\Firefox\Profiles\qldyz51w.default\cookies.sqlite | sqlite | |
MD5:7C426E0FC19063A433349CE713DA84A0 | SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:45822EE62FC571A3151895E367644231 | SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5 | |||
2988 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\endyz[1].exe | executable | |
MD5:8A2271057733C2CE2D577FC3963F62DE | SHA256:15BAEE0A13E03BA70452AEC42E3001A8395256F5233B6B18E372A8ACD4D03F7D | |||
1596 | endyiop.exe | C:\Users\admin\AppData\Roaming\ckd2xaiy.jtf\Chrome\Default\Cookies | sqlite | |
MD5:DD9640AF5F03807CF2E3921CBA16AF0D | SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0 | |||
2988 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\endyoj4729.com | executable | |
MD5:8A2271057733C2CE2D577FC3963F62DE | SHA256:15BAEE0A13E03BA70452AEC42E3001A8395256F5233B6B18E372A8ACD4D03F7D | |||
1596 | endyiop.exe | C:\Users\admin\AppData\Local\Temp\567e3dc4-f0e5-4f19-981b-ac091f262424 | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
1596 | endyiop.exe | C:\Users\admin\AppData\Local\Temp\endy\endy.exe | executable | |
MD5:8A2271057733C2CE2D577FC3963F62DE | SHA256:15BAEE0A13E03BA70452AEC42E3001A8395256F5233B6B18E372A8ACD4D03F7D | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$DER_IMAGES_20108.doc.rtf | pgc | |
MD5:74946385809409FD4CBB9305E8B946B2 | SHA256:73AF0F7EB354FEC0D60518963EA5CB6DD53E081BC72CA07399B0E1A019E2FACD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2988 | EQNEDT32.EXE | GET | 200 | 162.144.128.116:80 | http://dubem.top/endyz/endyz.exe | US | executable | 1.22 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1596 | endyiop.exe | 199.79.63.218:587 | us3.smtp.mailhostbox.com | PDR | US | malicious |
2988 | EQNEDT32.EXE | 162.144.128.116:80 | dubem.top | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
dubem.top |
| unknown |
us3.smtp.mailhostbox.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2988 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2988 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2988 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2988 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
1596 | endyiop.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |