analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | bank deitals .xlsx |
| Full analysis: | https://app.any.run/tasks/e6447276-a411-4b2d-8bcb-3a54855e674c |
| Verdict: | Malicious activity |
| Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
| Analysis date: | July 17, 2019, 04:04:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| File info: | Microsoft Excel 2007+ |
| MD5: | 15AA0F68E50D7F91E9549A6C491C89EB |
| SHA1: | 8AC50DEE47E1CD9601C14FBD0CC4A6B88A8B5FBA |
| SHA256: | C050EB7B78E7C6D87BC30D236432593E015256CC53E416AA281D7FC1B71EC5AE |
| SSDEEP: | 192:Ve1HwzOV8vdQjmKEVPanYuwpwiFWJZcYr+YF:Ve158qmKEMYuwFWIc+YF |
MALICIOUS
Application was dropped or rewritten from another process
- bobbye686498.exe (PID: 2884)
- bobbyadf.exe (PID: 2612)
- bobbyadf.exe (PID: 800)
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 2628)
Downloads executable files from the Internet
- EQNEDT32.EXE (PID: 2628)
Actions looks like stealing of personal data
- bobbyadf.exe (PID: 2612)
AGENTTESLA was detected
- bobbyadf.exe (PID: 2612)
SUSPICIOUS
Executable content was dropped or overwritten
- EQNEDT32.EXE (PID: 2628)
- bobbye686498.exe (PID: 2884)
Creates files in the user directory
- EQNEDT32.EXE (PID: 2628)
- bobbye686498.exe (PID: 2884)
Executed via COM
- EQNEDT32.EXE (PID: 2628)
Application launched itself
- bobbyadf.exe (PID: 800)
Starts itself from another location
- bobbye686498.exe (PID: 2884)
Checks for external IP
- bobbyadf.exe (PID: 2612)
INFO
Reads the machine GUID from the registry
- EXCEL.EXE (PID: 2460)
Creates files in the user directory
- EXCEL.EXE (PID: 2460)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (31.5) |
| .zip | | | ZIP compressed archive (7.2) |
EXIF
XML
| AppVersion: | 12 |
|---|---|
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| TitlesOfParts: |
|
| HeadingPairs: |
|
| ScaleCrop: | No |
| DocSecurity: | None |
| Application: | Microsoft Excel |
| ModifyDate: | 2019:06:26 12:34:53Z |
| CreateDate: | 2019:06:26 12:28:43Z |
| LastModifiedBy: | Modexcomm |
XMP
| Creator: | Modexcomm |
|---|
ZIP
| ZipFileName: | [Content_Types].xml |
|---|---|
| ZipUncompressedSize: | 1777 |
| ZipCompressedSize: | 395 |
| ZipCRC: | 0xdfdbf455 |
| ZipModifyDate: | 2019:07:17 00:22:28 |
| ZipCompression: | Deflated |
| ZipBitFlag: | 0x0002 |
| ZipRequiredVersion: | 20 |
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2460 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.4756.1000 | ||||
| 2628 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
| 2884 | "C:\Users\admin\AppData\Roaming\bobbye686498.exe" | C:\Users\admin\AppData\Roaming\bobbye686498.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 800 | "C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe" | C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe | — | bobbye686498.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 2612 | "C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe" | C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe | bobbyadf.exe | |
User: admin Integrity Level: MEDIUM | ||||
Total events
645
Read events
574
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
0
Text files
2
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2460 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA490.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2460 | EXCEL.EXE | C:\Users\admin\Desktop\~$bank deitals .xlsx | — | |
MD5:— | SHA256:— | |||
| 2884 | bobbye686498.exe | C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
| 2460 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bank deitals .xlsx.LNK | lnk | |
MD5:D112DED7F1FEE6D9DFDEFD579BE0FED1 | SHA256:D7E817C97F5917DCCE22734B338A7F07C623EB5F678228F77A27437775C8FCD5 | |||
| 2460 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:2075034AFD1D07E2A44281BBA0246935 | SHA256:F510F5C3BEE51129DC56BB6BC810A7995CD3E429762A4255E9886ADAABF4BD6A | |||
| 2628 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\bobbye686498.exe | executable | |
MD5:D7B148D9DFDC904560403D213BCA5489 | SHA256:9168E83D7C66004C1A884F8E4570854C4252BF930C282CBBF10AA3544A215038 | |||
| 2884 | bobbye686498.exe | C:\Users\admin\AppData\Roaming\bpbyies\bobbyadf.exe | executable | |
MD5:D7B148D9DFDC904560403D213BCA5489 | SHA256:9168E83D7C66004C1A884F8E4570854C4252BF930C282CBBF10AA3544A215038 | |||
| 2628 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\bobbye[1].exe | executable | |
MD5:D7B148D9DFDC904560403D213BCA5489 | SHA256:9168E83D7C66004C1A884F8E4570854C4252BF930C282CBBF10AA3544A215038 | |||
| 2612 | bobbyadf.exe | C:\Users\admin\AppData\Local\Temp\636989369636767500_cf6a3edd-b2ab-48fc-8250-541d83e25670.db | sqlite | |
MD5:6624BB001B05AE955BB5DF0503F672FB | SHA256:E503BD51B1695FF5500ABEB20AE973A507343CB1982F5107B37D30E20BD3258E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2628 | EQNEDT32.EXE | GET | 200 | 164.160.128.117:80 | http://mrjbiz.top/bobbye/bobbye.exe | NG | executable | 806 Kb | malicious |
2612 | bobbyadf.exe | GET | 200 | 34.197.157.64:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2612 | bobbyadf.exe | 34.197.157.64:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
2628 | EQNEDT32.EXE | 164.160.128.117:80 | mrjbiz.top | Garanntor-Hosting-AS | NG | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
mrjbiz.top |
| malicious |
checkip.amazonaws.com |
| shared |
mail.ideafon.gr |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2628 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2628 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2628 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2628 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2612 | bobbyadf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2 ETPRO signatures available at the full report