File name: | Purchase order N45368.doc |
Full analysis: | https://app.any.run/tasks/3da5f485-b205-48de-86bb-ae2a66131f33 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 11, 2019, 12:29:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 66EED4E6DFC866B83E9C5E5107A06D64 |
SHA1: | E147AAE9871E27EF78B68EEDA128B7029695E4BC |
SHA256: | D1AEA45B4FDBE94C17D10B66A77C140226324333347A52F1B12BAC1BE1392189 |
SSDEEP: | 96:8uL03/SJuFVnRNwVVnnBHQezYe+URpUMumgKBGlJLE:G/SJuhORjLUMupKBGLE |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3408 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Purchase order N45368.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3928 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3584 | "C:\Users\admin\AppData\Roaming\rwanyjmd58365.exe" | C:\Users\admin\AppData\Roaming\rwanyjmd58365.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3372 | "C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe" | C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe | — | rwanyjmd58365.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2680 | "C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe" | C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe | rwakiw.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3408 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR97A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3584 | rwanyjmd58365.exe | C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
2680 | rwakiw.exe | C:\Users\admin\AppData\Roaming\tsety4kv.yrm\Chrome\Default\Cookies | — | |
MD5:— | SHA256:— | |||
2680 | rwakiw.exe | C:\Users\admin\AppData\Roaming\tsety4kv.yrm\Firefox\Profiles\qldyz51w.default\cookies.sqlite | — | |
MD5:— | SHA256:— | |||
3408 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D6CA9BE99F6E244F15F4937F1B4F0641 | SHA256:4F08E3C7EF3B470E3EBDAE6FC428D4992B8C9C64BDF11FC152F928419A52A6CC | |||
2680 | rwakiw.exe | C:\Users\admin\AppData\Roaming\tsety4kv.yrm.zip | compressed | |
MD5:56D8BC2600BA6C88C20A3BAB2F88A3EB | SHA256:F6EA0845B43FDE913E67D8BBA25691DACB4CDC82BDC5D868658D0B913BD9FD84 | |||
3928 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\rwany[1].exe | executable | |
MD5:C55C428C8639A7A7FFEEF90708EBCAFB | SHA256:8E3C4F47A288CEE9A94A01E8AB150420F496D54F9E4724E8052106E6242784F8 | |||
3584 | rwanyjmd58365.exe | C:\Users\admin\AppData\Roaming\rwapjk\rwakiw.exe | executable | |
MD5:C55C428C8639A7A7FFEEF90708EBCAFB | SHA256:8E3C4F47A288CEE9A94A01E8AB150420F496D54F9E4724E8052106E6242784F8 | |||
3408 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rchase order N45368.doc.rtf | pgc | |
MD5:C51A646E075FA0E0876307D40B4554E8 | SHA256:25A0723793CE9CE7EC7354580D360860A2E2097E61C9143A9842258A080F12CA | |||
3928 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\rwanyjmd58365.exe | executable | |
MD5:C55C428C8639A7A7FFEEF90708EBCAFB | SHA256:8E3C4F47A288CEE9A94A01E8AB150420F496D54F9E4724E8052106E6242784F8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2680 | rwakiw.exe | GET | 200 | 34.196.181.158:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
3928 | EQNEDT32.EXE | GET | 200 | 162.144.128.116:80 | http://alhaji.top/rwany/rwany.exe | US | executable | 1.22 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2680 | rwakiw.exe | 208.91.199.223:587 | us2.smtp.mailhostbox.com | PDR | US | shared |
3928 | EQNEDT32.EXE | 162.144.128.116:80 | alhaji.top | Unified Layer | US | malicious |
2680 | rwakiw.exe | 34.196.181.158:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
alhaji.top |
| malicious |
checkip.amazonaws.com |
| shared |
us2.smtp.mailhostbox.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3928 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
3928 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3928 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3928 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2680 | rwakiw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |