analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

963b579b269bce4478d3b2cfef8d07d015bca980.rtf

Full analysis: https://app.any.run/tasks/56072d17-0e13-4cda-b057-69450c9e6d69
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: March 21, 2019, 07:23:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
stealer
kpot
necurs
evasion
rat
agenttesla
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

9EFBD8B27AFB613BAB517C22595C58C2

SHA1:

963B579B269BCE4478D3B2CFEF8D07D015BCA980

SHA256:

CE3C9263A3C8F413E306B870B72C56C40E635F30E5D2FBE542EA5D86D5A7629D

SSDEEP:

6144:IDOrg5Tb/OMDckU5Tb/zSDH3D5Tb/m+DVl65Tb/SPD5Xc5Tb/Q+1JQ:IYUvOMlwvzSDtvm+f+vSPtovQ5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2472)
      • EXCEL.EXE (PID: 2608)
      • EXCEL.EXE (PID: 3592)
      • EXCEL.EXE (PID: 2888)
      • EXCEL.EXE (PID: 2556)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2472)
      • EXCEL.EXE (PID: 2608)
      • EXCEL.EXE (PID: 3592)
      • EXCEL.EXE (PID: 2888)
      • EXCEL.EXE (PID: 2556)
    • Application was dropped or rewritten from another process

      • m0yuc.exe (PID: 3116)
      • m0yuc.exe (PID: 2308)
      • m0yuc.exe (PID: 2776)
      • m0yuc.exe (PID: 3980)
      • 3E53.tmp.exe (PID: 3532)
      • 42F6.tmp.exe (PID: 3028)
      • 5FE5.tmp.exe (PID: 2412)
      • m0yuc.exe (PID: 2384)
      • 6A35.tmp.exe (PID: 2996)
      • 7CF2.tmp.exe (PID: 2952)
    • KPOT was detected

      • notepad.exe (PID: 3468)
      • notepad.exe (PID: 1832)
      • notepad.exe (PID: 3908)
      • notepad.exe (PID: 3244)
      • notepad.exe (PID: 4020)
    • Connects to CnC server

      • notepad.exe (PID: 3468)
      • notepad.exe (PID: 1832)
      • notepad.exe (PID: 3908)
      • notepad.exe (PID: 3244)
      • notepad.exe (PID: 4020)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 4056)
    • AGENTTESLA was detected

      • RegAsm.exe (PID: 4056)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • notepad.exe (PID: 1832)
      • notepad.exe (PID: 3468)
      • notepad.exe (PID: 3908)
      • notepad.exe (PID: 3244)
      • notepad.exe (PID: 4020)
    • Executable content was dropped or overwritten

      • notepad.exe (PID: 1832)
      • notepad.exe (PID: 3468)
      • notepad.exe (PID: 3908)
      • notepad.exe (PID: 3244)
      • notepad.exe (PID: 4020)
    • Reads the cookies of Mozilla Firefox

      • notepad.exe (PID: 1832)
      • notepad.exe (PID: 3468)
      • notepad.exe (PID: 3908)
      • notepad.exe (PID: 3244)
      • notepad.exe (PID: 4020)
    • Loads DLL from Mozilla Firefox

      • RegAsm.exe (PID: 4056)
    • Connects to unusual port

      • RegAsm.exe (PID: 4056)
    • Checks for external IP

      • RegAsm.exe (PID: 4056)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2472)
      • WINWORD.EXE (PID: 3520)
      • EXCEL.EXE (PID: 2608)
      • EXCEL.EXE (PID: 3592)
      • EXCEL.EXE (PID: 2888)
      • EXCEL.EXE (PID: 2556)
      • excelcnv.exe (PID: 3904)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

LastModifiedBy: HP
CreateDate: 2019:03:18 22:33:00
ModifyDate: 2019:03:18 22:33:00
RevisionNumber: 1
TotalEditTime: -
Pages: 1
Words: 19
Characters: 112
CharactersWithSpaces: 130
InternalVersionNumber: 57433
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
27
Malicious processes
17
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winword.exe no specs excel.exe m0yuc.exe no specs excel.exe m0yuc.exe no specs excel.exe #KPOT notepad.exe #KPOT notepad.exe m0yuc.exe no specs excel.exe 3e53.tmp.exe no specs #KPOT notepad.exe #AGENTTESLA regasm.exe m0yuc.exe no specs excel.exe 42f6.tmp.exe no specs regasm.exe no specs #KPOT notepad.exe 5fe5.tmp.exe no specs regasm.exe no specs m0yuc.exe no specs excelcnv.exe no specs 6a35.tmp.exe no specs #KPOT notepad.exe regasm.exe no specs 7cf2.tmp.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3520"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\963b579b269bce4478d3b2cfef8d07d015bca980.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2472"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3116"C:\Users\admin\AppData\Local\Temp\m0yuc.exe" C:\Users\admin\AppData\Local\Temp\m0yuc.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Web Publishing Wizard executable
Exit code:
0
Version:
6.1.33.0
2608"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2308"C:\Users\admin\AppData\Local\Temp\m0yuc.exe" C:\Users\admin\AppData\Local\Temp\m0yuc.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Web Publishing Wizard executable
Exit code:
0
Version:
6.1.33.0
3592"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
1832C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe
m0yuc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3468C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe
m0yuc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2776"C:\Users\admin\AppData\Local\Temp\m0yuc.exe" C:\Users\admin\AppData\Local\Temp\m0yuc.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Web Publishing Wizard executable
Exit code:
0
Version:
6.1.33.0
2888"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
6 722
Read events
5 841
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
0
Text files
7
Unknown types
3

Dropped files

PID
Process
Filename
Type
3520WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA72.tmp.cvr
MD5:
SHA256:
2472EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR1157.tmp.cvr
MD5:
SHA256:
2608EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR28A8.tmp.cvr
MD5:
SHA256:
3116m0yuc.exeC:\Users\admin\AppData\Local\Temp\Apple.bmp
MD5:
SHA256:
3592EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR30C6.tmp.cvr
MD5:
SHA256:
2308m0yuc.exeC:\Users\admin\AppData\Local\Temp\Apple.bmp
MD5:
SHA256:
2888EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3990.tmp.cvr
MD5:
SHA256:
2776m0yuc.exeC:\Users\admin\AppData\Local\Temp\Apple.bmp
MD5:
SHA256:
2556EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4410.tmp.cvr
MD5:
SHA256:
3980m0yuc.exeC:\Users\admin\AppData\Local\Temp\Apple.bmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
18
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3908
notepad.exe
GET
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
356 b
malicious
4020
notepad.exe
GET
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
356 b
malicious
1832
notepad.exe
GET
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
356 b
malicious
4020
notepad.exe
POST
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
2 b
malicious
3468
notepad.exe
POST
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
2 b
malicious
4056
RegAsm.exe
GET
200
52.202.139.131:80
http://checkip.amazonaws.com/
US
text
15 b
shared
3244
notepad.exe
POST
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
2 b
malicious
1832
notepad.exe
POST
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
2 b
malicious
3908
notepad.exe
POST
200
193.238.47.9:80
http://benten07.futbol/Adq5098P8ZgdD6Xn/gate.php
unknown
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1832
notepad.exe
193.238.47.9:80
benten07.futbol
malicious
2472
EXCEL.EXE
52.216.160.221:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown
2608
EXCEL.EXE
54.231.49.107:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown
1832
notepad.exe
52.216.132.53:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
3592
EXCEL.EXE
52.216.132.53:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
3908
notepad.exe
193.238.47.9:80
benten07.futbol
malicious
2556
EXCEL.EXE
52.216.112.141:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
3468
notepad.exe
52.216.132.53:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
2888
EXCEL.EXE
52.216.132.53:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
3908
notepad.exe
52.216.144.173:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
s3.amazonaws.com
  • 52.216.160.221
  • 54.231.49.107
  • 52.216.132.53
  • 52.216.144.173
  • 52.216.112.141
  • 52.216.131.77
  • 52.216.160.29
shared
benten07.futbol
  • 193.238.47.9
  • 109.234.38.194
  • 62.173.138.211
  • 62.173.149.163
malicious
ftp.onwamarch.xyz
  • 104.144.198.27
malicious
checkip.amazonaws.com
  • 52.202.139.131
  • 34.196.82.108
  • 18.233.42.138
  • 52.0.208.170
  • 52.200.125.74
  • 34.233.102.38
shared

Threats

PID
Process
Class
Message
1832
notepad.exe
A Network Trojan was detected
ET TROJAN Generic gate[.].php GET with minimal headers
1832
notepad.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3908
notepad.exe
A Network Trojan was detected
ET TROJAN Generic gate[.].php GET with minimal headers
3908
notepad.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3468
notepad.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
3468
notepad.exe
A Network Trojan was detected
MALWARE [PTsecurity] KPOT Stealer Data Exfiltration
3468
notepad.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PNJ (KPOT Stealer) Exfiltration
3468
notepad.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
1832
notepad.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
1832
notepad.exe
A Network Trojan was detected
MALWARE [PTsecurity] KPOT Stealer Data Exfiltration
12 ETPRO signatures available at the full report
No debug info