File name: | PO 6004001046-000001.doc |
Full analysis: | https://app.any.run/tasks/5c97f3db-2959-4bb7-b11e-85bd7eb1ec4f |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | March 31, 2020, 06:30:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 81FF174060CE706D9E3F3A3D9117A01F |
SHA1: | 46D07FF6A8EF26CF294EAF45D72F1EAC28D78EE2 |
SHA256: | D4ACDFFE14D9A59E94F4488DCDAD3ABC2DCE847A3F756A25B06FC23D42E8056B |
SSDEEP: | 1536:Ox1JtZM4bC06mf5gAKLCKvgnKnalAMp+j8d/fp4L0XzCMa64jnH4VjO6yUscTM4H:Ox1JbMw88T4L11jHsTv/v |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2784 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO 6004001046-000001.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3336 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2360 | "C:\ProgramData\encx.com" | C:\ProgramData\encx.com | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B07.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ 6004001046-000001.doc.rtf | pgc | |
MD5:03B70ADF992736FB6B19E7E9CD15B452 | SHA256:F8C404921A86BDE83E37E8360FF4BCFF5056EFCC18F98AE21A3F682A88268F56 | |||
2784 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BA460C4C1C046DB993972B8AB264FF96 | SHA256:6A1D7CDE90344875D591107AB84560D786E66BC397415E25C6FF33B25BC03C05 | |||
3336 | EQNEDT32.EXE | C:\ProgramData\encx.com | executable | |
MD5:0DE6E159DDF9E72594A9724ACABFEB8B | SHA256:077F75EF7FDB1663E70C33E20D8D7C4383FA13FD95517FAB8023FCE526BF3A25 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3336 | EQNEDT32.EXE | GET | 200 | 47.106.73.29:80 | http://sterilizationvalidation.com/wordpress/wp-content/uploads/2019/12/pov.exe | CN | executable | 290 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2360 | encx.com | 208.91.199.225:587 | smtp.rianbowmax.com | PDR | US | shared |
3336 | EQNEDT32.EXE | 47.106.73.29:80 | sterilizationvalidation.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
Domain | IP | Reputation |
---|---|---|
sterilizationvalidation.com |
| malicious |
smtp.rianbowmax.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3336 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
3336 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3336 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3336 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2360 | encx.com | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2360 | encx.com | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |
2360 | encx.com | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla SMTP Activity |
2360 | encx.com | A Network Trojan was detected | SPYWARE [PTsecurity] AgentTesla Exfiltration |