File name:

bank deitals .xlsx

Full analysis: https://app.any.run/tasks/e6447276-a411-4b2d-8bcb-3a54855e674c
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 04:04:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
opendir
exploit
cve-2017-11882
loader
evasion
trojan
rat
agenttesla
keylogger
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

15AA0F68E50D7F91E9549A6C491C89EB

SHA1:

8AC50DEE47E1CD9601C14FBD0CC4A6B88A8B5FBA

SHA256:

C050EB7B78E7C6D87BC30D236432593E015256CC53E416AA281D7FC1B71EC5AE

SSDEEP:

192:Ve1HwzOV8vdQjmKEVPanYuwpwiFWJZcYr+YF:Ve158qmKEMYuwFWIc+YF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2628)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2628)

    • Application was dropped or rewritten from another process

      • bobbyadf.exe (PID: 800)
      • bobbye686498.exe (PID: 2884)
      • bobbyadf.exe (PID: 2612)

    • AGENTTESLA was detected

      • bobbyadf.exe (PID: 2612)

    • Actions looks like stealing of personal data

      • bobbyadf.exe (PID: 2612)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2628)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2628)
      • bobbye686498.exe (PID: 2884)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2628)
      • bobbye686498.exe (PID: 2884)

    • Application launched itself

      • bobbyadf.exe (PID: 800)

    • Starts itself from another location

      • bobbye686498.exe (PID: 2884)

    • Checks for external IP

      • bobbyadf.exe (PID: 2612)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2460)

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 2460)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:07:17 00:22:28
ZipCRC: 0xdfdbf455
ZipCompressedSize: 395
ZipUncompressedSize: 1777
ZipFileName: [Content_Types].xml

XMP

Creator: Modexcomm

XML

LastModifiedBy: Modexcomm
CreateDate: 2019:06:26 12:28:43Z
ModifyDate: 2019:06:26 12:34:53Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe bobbye686498.exe bobbyadf.exe no specs #AGENTTESLA bobbyadf.exe

Process information

PID
CMD
Path
Indicators
Parent process
800"C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe"C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exebobbye686498.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bpbyies\bobbyadf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2460"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.4756.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2612"C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe"C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe
bobbyadf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bpbyies\bobbyadf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2628"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2884"C:\Users\admin\AppData\Roaming\bobbye686498.exe"C:\Users\admin\AppData\Roaming\bobbye686498.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bobbye686498.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
645
Read events
574
Write events
59
Delete events
12

Modification events

(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:/,=
Value:
2F2C3D009C090000010000000000000000000000
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:2057
Value:
On
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
9C090000D25E6ED0543CD50100000000
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:/,=
Value:
2F2C3D009C090000010000000000000000000000
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(2460) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(2460) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:EXCELFiles
Value:
1324417047
(PID) Process:(2460) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324417150
Executable files
3
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2460EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA490.tmp.cvr
MD5:
SHA256:
2460EXCEL.EXEC:\Users\admin\Desktop\~$bank deitals .xlsx
MD5:
SHA256:
2884bobbye686498.exeC:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe:ZoneIdentifier
MD5:
SHA256:
2460EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:
SHA256:
2628EQNEDT32.EXEC:\Users\admin\AppData\Roaming\bobbye686498.exeexecutable
MD5:
SHA256:
2460EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bank deitals .xlsx.LNKlnk
MD5:
SHA256:
2884bobbye686498.exeC:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exeexecutable
MD5:
SHA256:
2612bobbyadf.exeC:\Users\admin\AppData\Local\Temp\636989369636767500_cf6a3edd-b2ab-48fc-8250-541d83e25670.dbsqlite
MD5:
SHA256:
2628EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\bobbye[1].exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
3
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2628
EQNEDT32.EXE
GET
200
164.160.128.117:80
http://mrjbiz.top/bobbye/bobbye.exe
NG
executable
806 Kb
malicious
2612
bobbyadf.exe
GET
200
34.197.157.64:80
http://checkip.amazonaws.com/
US
text
14 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2628
EQNEDT32.EXE
164.160.128.117:80
mrjbiz.top
Garanntor-Hosting-AS
NG
malicious
2612
bobbyadf.exe
34.197.157.64:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
mrjbiz.top
  • 164.160.128.117
malicious
checkip.amazonaws.com
  • 34.197.157.64
  • 52.202.139.131
  • 34.233.102.38
  • 18.211.215.84
  • 52.6.79.229
  • 52.206.161.133
malicious
mail.ideafon.gr
malicious

Threats

PID
Process
Class
Message
412
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2628
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2628
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2628
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2628
EQNEDT32.EXE
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2612
bobbyadf.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bank deitals .xlsx