File name: | 963b579b269bce4478d3b2cfef8d07d015bca980.rtf |
Full analysis: | https://app.any.run/tasks/56072d17-0e13-4cda-b057-69450c9e6d69 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | March 21, 2019, 07:23:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 9EFBD8B27AFB613BAB517C22595C58C2 |
SHA1: | 963B579B269BCE4478D3B2CFEF8D07D015BCA980 |
SHA256: | CE3C9263A3C8F413E306B870B72C56C40E635F30E5D2FBE542EA5D86D5A7629D |
SSDEEP: | 6144:IDOrg5Tb/OMDckU5Tb/zSDH3D5Tb/m+DVl65Tb/SPD5Xc5Tb/Q+1JQ:IYUvOMlwvzSDtvm+f+vSPtovQ5 |
.rtf | | | Rich Text Format (100) |
---|
LastModifiedBy: | HP |
---|---|
CreateDate: | 2019:03:18 22:33:00 |
ModifyDate: | 2019:03:18 22:33:00 |
RevisionNumber: | 1 |
TotalEditTime: | - |
Pages: | 1 |
Words: | 19 |
Characters: | 112 |
CharactersWithSpaces: | 130 |
InternalVersionNumber: | 57433 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3520 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\963b579b269bce4478d3b2cfef8d07d015bca980.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2472 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3116 | "C:\Users\admin\AppData\Local\Temp\m0yuc.exe" | C:\Users\admin\AppData\Local\Temp\m0yuc.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Web Publishing Wizard executable Exit code: 0 Version: 6.1.33.0 | ||||
2608 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2308 | "C:\Users\admin\AppData\Local\Temp\m0yuc.exe" | C:\Users\admin\AppData\Local\Temp\m0yuc.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Web Publishing Wizard executable Exit code: 0 Version: 6.1.33.0 | ||||
3592 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1832 | C:\Windows\system32\notepad.exe | C:\Windows\system32\notepad.exe | m0yuc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3468 | C:\Windows\system32\notepad.exe | C:\Windows\system32\notepad.exe | m0yuc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2776 | "C:\Users\admin\AppData\Local\Temp\m0yuc.exe" | C:\Users\admin\AppData\Local\Temp\m0yuc.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Web Publishing Wizard executable Exit code: 0 Version: 6.1.33.0 | ||||
2888 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA72.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR1157.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2608 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR28A8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3116 | m0yuc.exe | C:\Users\admin\AppData\Local\Temp\Apple.bmp | — | |
MD5:— | SHA256:— | |||
3592 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR30C6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2308 | m0yuc.exe | C:\Users\admin\AppData\Local\Temp\Apple.bmp | — | |
MD5:— | SHA256:— | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3990.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2776 | m0yuc.exe | C:\Users\admin\AppData\Local\Temp\Apple.bmp | — | |
MD5:— | SHA256:— | |||
2556 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4410.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3980 | m0yuc.exe | C:\Users\admin\AppData\Local\Temp\Apple.bmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3908 | notepad.exe | GET | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 356 b | malicious |
4020 | notepad.exe | GET | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 356 b | malicious |
1832 | notepad.exe | GET | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 356 b | malicious |
4020 | notepad.exe | POST | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 2 b | malicious |
3468 | notepad.exe | POST | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 2 b | malicious |
4056 | RegAsm.exe | GET | 200 | 52.202.139.131:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
3244 | notepad.exe | POST | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 2 b | malicious |
1832 | notepad.exe | POST | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 2 b | malicious |
3908 | notepad.exe | POST | 200 | 193.238.47.9:80 | http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php | unknown | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1832 | notepad.exe | 193.238.47.9:80 | benten07.futbol | — | — | malicious |
2472 | EXCEL.EXE | 52.216.160.221:443 | s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
2608 | EXCEL.EXE | 54.231.49.107:443 | s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
1832 | notepad.exe | 52.216.132.53:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
3592 | EXCEL.EXE | 52.216.132.53:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
3908 | notepad.exe | 193.238.47.9:80 | benten07.futbol | — | — | malicious |
2556 | EXCEL.EXE | 52.216.112.141:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
3468 | notepad.exe | 52.216.132.53:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
2888 | EXCEL.EXE | 52.216.132.53:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
3908 | notepad.exe | 52.216.144.173:443 | s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
s3.amazonaws.com |
| shared |
benten07.futbol |
| malicious |
ftp.onwamarch.xyz |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1832 | notepad.exe | A Network Trojan was detected | ET TROJAN Generic gate[.].php GET with minimal headers |
1832 | notepad.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3908 | notepad.exe | A Network Trojan was detected | ET TROJAN Generic gate[.].php GET with minimal headers |
3908 | notepad.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3468 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3468 | notepad.exe | A Network Trojan was detected | MALWARE [PTsecurity] KPOT Stealer Data Exfiltration |
3468 | notepad.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PNJ (KPOT Stealer) Exfiltration |
3468 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
1832 | notepad.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
1832 | notepad.exe | A Network Trojan was detected | MALWARE [PTsecurity] KPOT Stealer Data Exfiltration |