File name: | EPCC FOR FFD PHASE 4A FACILITIES, NMB (DAHLIA, TERATAI & KANGSAR) - SUPPLY OF FLEXIBLE HOSE, COUPLING, UNION & CLAMP.eml |
Full analysis: | https://app.any.run/tasks/c319be63-881e-401c-b1f6-1a061db3f3c9 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 30, 2020, 11:24:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | SMTP mail, ASCII text, with very long lines |
MD5: | 13EAF45BBE0127B49E3B38658D85DBEA |
SHA1: | 201EDA0161B9C9ACB1E10950C57EDD466F8AFEE4 |
SHA256: | AED8E283F8493E2076FBB3918781F2750B0182C6D35B00779F30DB23919C231A |
SSDEEP: | 12288:LYl55GhR5/Uc7m7kTGVqB+TjoQ7lSuUHt9GxWD7gwS7zteCWbFAqhs1MUAhUiJpQ:sl55GhRVdlgZSurWfgwEgjFc11cpCz |
.eml | | | E-Mail message (Var. 1) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2196 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\9fc43c3f-39f1-45d1-8c6a-23da473ed500.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1900 | "C:\Windows\System32\isoburn.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\JLY8E92F\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer003.img" | C:\Windows\System32\isoburn.exe | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Disc Image Burning Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1984 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer003.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3144 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | WinRAR.exe | |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Exit code: 0 Version: 1.4.4.0 | ||||
3592 | "C:\Users\admin\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | explorer.exe | |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Exit code: 0 Version: 1.4.4.0 | ||||
2424 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rahQfP" /XML "C:\Users\admin\AppData\Local\Temp\tmp505A.tmp" | C:\Windows\System32\schtasks.exe | — | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | — | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Exit code: 4294967295 Version: 1.4.4.0 | ||||
3028 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | — | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Exit code: 4294967295 Version: 1.4.4.0 | ||||
3264 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | — | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Exit code: 4294967295 Version: 1.4.4.0 | ||||
3396 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | |
User: admin Company: theHTPC.net Integrity Level: MEDIUM Description: Folder GUI Version: 1.4.4.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2196 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRAE04.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2196 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmpB037.tmp | — | |
MD5:— | SHA256:— | |||
2196 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\JLY8E92F\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer003 (2).img\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1984.47056\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | — | |
MD5:— | SHA256:— | |||
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | C:\Users\admin\AppData\Roaming\2lceiwwx.2oe\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | C:\Users\admin\AppData\Roaming\2lceiwwx.2oe\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
2196 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:AC93681BB0B9482E63E85ADA32C84227 | SHA256:EB017C8F4BD5BD4FB911A1C1E01B78FAB5A7EE5AC237B31898287E303ED9CD6D | |||
1984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.46284\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | executable | |
MD5:1C92EF7C6C4D535D22EDBBDF7159513C | SHA256:98C79B72A2E5D25F4023FC2C6000983E9534C590B80A0BB2810D0B56C24E7B43 | |||
3144 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | C:\Users\admin\AppData\Local\Temp\tmp505A.tmp | xml | |
MD5:204B1D6641031CC4A28D2D5AD49FA70F | SHA256:5932D50555D0B11E85C55DB980A7F04711CA46D31209CC32F0F3CBADA06A0F3F | |||
3144 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | C:\Users\admin\AppData\Roaming\rahQfP.exe | executable | |
MD5:1C92EF7C6C4D535D22EDBBDF7159513C | SHA256:98C79B72A2E5D25F4023FC2C6000983E9534C590B80A0BB2810D0B56C24E7B43 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2196 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2196 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | 208.91.199.225:587 | smtp.mitsoi.com | PDR | US | shared |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
smtp.mitsoi.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | ET TROJAN AgentTesla Exfil Via SMTP |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | ET TROJAN AgentTesla Exfil Via SMTP |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
3396 | Project Document A02057 NMB TYP PIP SPC 40000_REV_D Material Spec_scanned from a xerox printer002.exe | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |