File name:	Paymentadvice.xlsx
Full analysis:	https://app.any.run/tasks/45245ab2-b94c-4068-a9c7-483b0fd7f90f
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 14, 2019, 13:34:00
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir exploit CVE-2017-11882 loader stealer evasion trojan rat agenttesla
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:	Microsoft Excel 2007+
MD5:	77C25F788EF53769BACE7EEDA30C2009
SHA1:	D6956D7AB4DF07C0025D0A5ED58A2A4F6D1C54F1
SHA256:	F44EE86652999164C7D40D90C97F924C2C0E8D500E342ED1EC4B9558571DBFF6
SSDEEP:	768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ

.xlsx	\|	Excel Microsoft Office Open XML Format document (61.2)
.zip	\|	Open Packaging Conventions container (31.5)
.zip	\|	ZIP compressed archive (7.2)

AppVersion:	12
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
Company:	-
TitlesOfParts:	Sheet1 Sheet2 Sheet3
HeadingPairs:	Worksheets 3
ScaleCrop:	No
DocSecurity:	None
Application:	Microsoft Excel
ModifyDate:	2019:03:04 04:41:20Z
CreateDate:	2006:09:16 00:00:00Z
LastModifiedBy:	-

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1947
ZipCompressedSize:	425
ZipCRC:	0xf9b9528b
ZipModifyDate:	2019:03:13 23:44:18
ZipCompression:	Deflated
ZipBitFlag:	0x0002
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
1640	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.4756.1000
2596	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
3000	C:\Users\admin\AppData\Local\Temp\nbvcx.exe	C:\Users\admin\AppData\Local\Temp\nbvcx.exe	—	EQNEDT32.EXE
User: admin Company: Umps Integrity Level: MEDIUM Description: Augiteporphyrite Exit code: 0 Version: 8.08.0001
2312	:\Users\admin\AppData\Local\Temp\nbvcx.exe	C:\Users\admin\AppData\Local\Temp\nbvcx.exe		nbvcx.exe
User: admin Company: Umps Integrity Level: MEDIUM Description: Augiteporphyrite Version: 8.08.0001
2800	"C:\Windows\System32\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe	—	nbvcx.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2772	"C:\Windows\SysWOW64\eventvwr.exe"	C:\Windows\SysWOW64\eventvwr.exe		nbvcx.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
544	"C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe" C:\Users\admin\AppData\Local\Temp\4572c12e-00a9-461c-918c-1d7734a7d6fc.tmp	C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe		nbvcx.exe
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0


(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	v2$
Value: 7632240068060000010000000000000000000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:	write	Name:	MTTT
Value: 680600000EB4B89B6ADAD40100000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	delete value	Name:	v2$
Value: 7632240068060000010000000000000000000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	delete key	Name:
Value:
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:	delete key	Name:
Value:
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	EXCELFiles
Value: 1315831831
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1315831934
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVRFAF6.tmp.cvr		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E997D8B1.png		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\865586FE.png		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\Desktop\~$Paymentadvice.xlsx		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Paymentadvice.LNK		lnk
		MD5:28624137FFB5C14BED6247749251CE2F	SHA256:110008C8F5E7A80AE450B801AD9766CFA9F54CA0B40B2E9C54306E36561FD916
2312	nbvcx.exe	C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe		executable
		MD5:AFC242F6E1D17A413E034F9EAB70E28B	SHA256:5FF4BEA99B66DA3E069F890D298B54CBB4809631CAD7224E2AD8664E8BC3729D
2596	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Temp\nbvcx.exe		executable
		MD5:5C173C26C57E0D0249F6E5E3EC1362F0	SHA256:B4BF672CFC8F70D09393EAC68D203B204C14ECAD7F00ED2FB17D7D39AA4BABA4
3000	nbvcx.exe	C:\Users\admin\AppData\Local\Temp\~DF83CCBF87CC1F2FBF.TMP		binary
		MD5:7B7BCAC37973BC6CCDA8396E9A021C8E	SHA256:CAB361D91CB67B0BA82071C4E6EA912364E94D35E5ECA3FF95B5DEFB75644F0C
2596	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\du[1].com		executable
		MD5:5C173C26C57E0D0249F6E5E3EC1362F0	SHA256:B4BF672CFC8F70D09393EAC68D203B204C14ECAD7F00ED2FB17D7D39AA4BABA4
1640	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:F7B6CAC7F188EB792D18081CDBEA3A0B	SHA256:E6CB618FDCEF31BA718560DD734A256C03A61CFA496FFD9F2EC5D4DAB1D4F04E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2596	EQNEDT32.EXE	GET	200	204.93.161.26:80	http://simplex-express.com/zs/du.com	US	executable	970 Kb	suspicious
2312	nbvcx.exe	GET	200	52.200.125.74:80	http://checkip.amazonaws.com/	US	text	16 b	shared

PID	Process	IP	Domain	ASN	CN	Reputation
2312	nbvcx.exe	208.91.199.223:587	smtp.tpczj.biz	PDR	US	shared
2596	EQNEDT32.EXE	204.93.161.26:80	simplex-express.com	Server Central Network	US	suspicious
2312	nbvcx.exe	52.200.125.74:80	checkip.amazonaws.com	Amazon.com, Inc.	US	shared

Domain	IP	Reputation
simplex-express.com	204.93.161.26	suspicious
smtp.tpczj.biz	208.91.199.223 208.91.199.225 208.91.198.143 208.91.199.224	malicious
checkip.amazonaws.com	52.200.125.74 34.196.82.108 34.233.102.38 18.233.42.138 52.0.208.170 52.202.139.131	shared

PID	Process	Class	Message
2596	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2596	EQNEDT32.EXE	A Network Trojan was detected	ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2312	nbvcx.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2312	nbvcx.exe	A Network Trojan was detected	MALWARE [PTsecurity] AgentTesla IP Check
2312	nbvcx.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP

General Info

Paymentadvice.xlsx

77C25F788EF53769BACE7EEDA30C2009

D6956D7AB4DF07C0025D0A5ED58A2A4F6D1C54F1

F44EE86652999164C7D40D90C97F924C2C0E8D500E342ED1EC4B9558571DBFF6

768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Suspicious connection from the Equation Editor

Equation Editor starts application (CVE-2017-11882)

Downloads executable files from the Internet

Known privilege escalation attack

Changes the autorun value in the registry

Actions looks like stealing of personal data

Stealing of credential data

AGENTTESLA was detected

SUSPICIOUS

Executable content was dropped or overwritten

Application launched itself

Modifies the open verb of a shell class

Loads DLL from Mozilla Firefox

Reads the machine GUID from the registry

Connects to SMTP port

Checks for external IP

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

XML

XMP

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings