File name: | PO 6004001046-000001.doc |
Full analysis: | https://app.any.run/tasks/18809921-a712-45c3-a53c-b5e6d940c285 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | March 31, 2020, 06:23:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 81FF174060CE706D9E3F3A3D9117A01F |
SHA1: | 46D07FF6A8EF26CF294EAF45D72F1EAC28D78EE2 |
SHA256: | D4ACDFFE14D9A59E94F4488DCDAD3ABC2DCE847A3F756A25B06FC23D42E8056B |
SSDEEP: | 1536:Ox1JtZM4bC06mf5gAKLCKvgnKnalAMp+j8d/fp4L0XzCMa64jnH4VjO6yUscTM4H:Ox1JbMw88T4L11jHsTv/v |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2492 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO 6004001046-000001.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1196 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
540 | "C:\ProgramData\encx.com" | C:\ProgramData\encx.com | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B74.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2492 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:477916EFB88A373723F281B8A9BC2EA4 | SHA256:F8C4753F90B6CCCCFB7FC260ACCB0BA935A8E56898FCB3BBF10845FF3B8EE27B | |||
2492 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ 6004001046-000001.doc | pgc | |
MD5:FDBC06968CCC482AD6F68C866CF05069 | SHA256:9B12AF0AB02F8D6902C9FB0E12749C4F96E5B46DC26736616AE981287E031B61 | |||
1196 | EQNEDT32.EXE | C:\ProgramData\encx.com | executable | |
MD5:0DE6E159DDF9E72594A9724ACABFEB8B | SHA256:077F75EF7FDB1663E70C33E20D8D7C4383FA13FD95517FAB8023FCE526BF3A25 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1196 | EQNEDT32.EXE | GET | 200 | 47.106.73.29:80 | http://sterilizationvalidation.com/wordpress/wp-content/uploads/2019/12/pov.exe | CN | executable | 290 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
540 | encx.com | 208.91.199.225:587 | smtp.rianbowmax.com | PDR | US | shared |
1196 | EQNEDT32.EXE | 47.106.73.29:80 | sterilizationvalidation.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
Domain | IP | Reputation |
---|---|---|
sterilizationvalidation.com |
| malicious |
smtp.rianbowmax.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1196 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1196 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
1196 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1196 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
540 | encx.com | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
540 | encx.com | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
540 | encx.com | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |