File name:	Payment Slip-11th-02-19.docx
Full analysis:	https://app.any.run/tasks/2822dade-724b-4e84-941e-bbc3c79d5196
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 11, 2019, 11:33:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	generated-doc exploit CVE-2017-11882 loader stealer rat agenttesla evasion trojan
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	921E777E84C8D581DFBB1D97ABB1BAF7
SHA1:	49FCFDE9EC19244DCC8C69EB74E8A4B9355EABDF
SHA256:	D764EFEFC60C3F02008A190FD9DE5B851E9713917CCE1AB934C7DFED1A9A5859
SSDEEP:	384:Q0RzBKgYJYiIZ2MgdmDO5RWryJHvdVGuiedSJ4H1A0mWuLinAXn+bMNELpFW1:Q0RO42MgdmDOariPdPdHHgc4eX8

.docx	\|	Word Microsoft Office Open XML Format document (52.2)
.zip	\|	Open Packaging Conventions container (38.8)
.zip	\|	ZIP compressed archive (8.8)

ModifyDate:	2019:02:11 07:06:00Z
CreateDate:	2019:02:11 07:06:00Z
RevisionNumber:	1
LastModifiedBy:	POLOLOCO
AppVersion:	12
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	-
LinksUpToDate:	No
Company:	-
ScaleCrop:	No
Paragraphs:	1
Lines:	1
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	-
Words:	-
Pages:	1
TotalEditTime:	-
Template:	Normal.dotm

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1584
ZipCompressedSize:	377
ZipCRC:	0x2284e0ff
ZipModifyDate:	2019:02:11 00:08:10
ZipCompression:	Deflated
ZipBitFlag:	0x0002
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
3020	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Payment Slip-11th-02-19.docx"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000
2724	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
2696	"C:\Users\admin\AppData\Roaming\nagsedhr.exe"	C:\Users\admin\AppData\Roaming\nagsedhr.exe		EQNEDT32.EXE
User: admin Company: insobriety1 Integrity Level: MEDIUM Exit code: 0 Version: 6.09.0006
2952	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\fhh.vbs"	C:\Windows\SysWOW64\WScript.exe		nagsedhr.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2684	"C:\Users\admin\AppData\Local\Temp\subfolder\fhh.exe"	C:\Users\admin\AppData\Local\Temp\subfolder\fhh.exe	—	nagsedhr.exe
User: admin Company: insobriety1 Integrity Level: MEDIUM Exit code: 0 Version: 6.09.0006
2988	C:\Users\admin\AppData\Local\Temp\subfolder\fhh.exe"	C:\Users\admin\AppData\Local\Temp\subfolder\fhh.exe		fhh.exe
User: admin Company: insobriety1 Integrity Level: MEDIUM Version: 6.09.0006
1612	"C:\Windows\System32\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe	—	fhh.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2912	"C:\Windows\SysWOW64\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe		fhh.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2932	"C:\Users\admin\AppData\Local\Temp\90520db2-4777-4c96-9f74-f847213dd848.exe" C:\Users\admin\AppData\Local\Temp\500fa6ea-0689-4718-91b9-5d17a5a61ac9.tmp	C:\Users\admin\AppData\Local\Temp\90520db2-4777-4c96-9f74-f847213dd848.exe		fhh.exe
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0

PID	Process	Filename		Type
3020	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRF808.tmp.cvr		—
		MD5:—	SHA256:—
3020	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14ED13.jpg		—
		MD5:—	SHA256:—
3020	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{56EB0901-928F-4C2B-953B-302B53B866C6}.tmp		—
		MD5:—	SHA256:—
3020	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{968E33EF-711F-4A67-A753-D0DC94C6A30C}.tmp		—
		MD5:—	SHA256:—
3020	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB32842A-762D-442C-83A3-B16176FD68D7}.tmp		—
		MD5:—	SHA256:—
2724	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\DR[1].exe		executable
		MD5:0253CECDDEBB28A4624A935DD31078BC	SHA256:50929F95A4268F03630346A1AB9E5FF1FCAB8A7584F184C5852F32BB88DC0B6B
3020	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:637D2838AA291507F9585926300CC797	SHA256:F7EAF4CE63B4FA3E89F9C0501A936FE41B2294916E92889B32EF223A49635B21
3020	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Payment Slip-11th-02-19.LNK		lnk
		MD5:FE56F7C7942DB70D660672A71F2D9DBC	SHA256:84F01615BA60744D57F90035918F03EDE999FBDB6205D6B500F052D9809A9FBD
2724	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\nagsedhr.exe		executable
		MD5:0253CECDDEBB28A4624A935DD31078BC	SHA256:50929F95A4268F03630346A1AB9E5FF1FCAB8A7584F184C5852F32BB88DC0B6B
2696	nagsedhr.exe	C:\Users\admin\AppData\Local\Temp\subfolder\fhh.exe		executable
		MD5:0253CECDDEBB28A4624A935DD31078BC	SHA256:50929F95A4268F03630346A1AB9E5FF1FCAB8A7584F184C5852F32BB88DC0B6B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2988	fhh.exe	GET	200	52.0.208.170:80	http://checkip.amazonaws.com/	US	text	16 b	shared
2724	EQNEDT32.EXE	GET	200	207.174.213.181:80	http://geepaulcast.com/aas/DR.exe	US	executable	825 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2988	fhh.exe	208.91.198.143:587	smtp.neweiico.com	PDR	US	shared
2724	EQNEDT32.EXE	207.174.213.181:80	geepaulcast.com	PDR	US	malicious
2988	fhh.exe	52.0.208.170:80	checkip.amazonaws.com	Amazon.com, Inc.	US	shared

Domain	IP	Reputation
geepaulcast.com	207.174.213.181	malicious
smtp.neweiico.com	208.91.198.143 208.91.199.224 208.91.199.225 208.91.199.223	malicious
checkip.amazonaws.com	52.0.208.170 52.200.125.74 34.233.102.38 18.233.42.138 34.196.82.108 52.202.139.131	shared

PID	Process	Class	Message
2724	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2988	fhh.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2988	fhh.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP
2988	fhh.exe	A Network Trojan was detected	MALWARE [PTsecurity] AgentTesla IP Check

General Info

Payment Slip-11th-02-19.docx

921E777E84C8D581DFBB1D97ABB1BAF7

49FCFDE9EC19244DCC8C69EB74E8A4B9355EABDF

D764EFEFC60C3F02008A190FD9DE5B851E9713917CCE1AB934C7DFED1A9A5859

384:Q0RzBKgYJYiIZ2MgdmDO5RWryJHvdVGuiedSJ4H1A0mWuLinAXn+bMNELpFW1:Q0RO42MgdmDOariPdPdHHgc4eX8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Equation Editor starts application (CVE-2017-11882)

Suspicious connection from the Equation Editor

Downloads executable files from the Internet

Changes the autorun value in the registry

Known privilege escalation attack

Stealing of credential data

Actions looks like stealing of personal data

AGENTTESLA was detected

SUSPICIOUS

Executable content was dropped or overwritten

Executes scripts

Starts itself from another location

Creates files in the user directory

Application launched itself

Modifies the open verb of a shell class

Loads DLL from Mozilla Firefox

Connects to SMTP port

Reads the machine GUID from the registry

Checks for external IP

INFO

Creates files in the user directory

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

XMP

XML

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings