File name:	Paymentadvice.xlsx
Full analysis:	https://app.any.run/tasks/45245ab2-b94c-4068-a9c7-483b0fd7f90f
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 14, 2019, 13:34:00
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir exploit cve-2017-11882 loader stealer evasion trojan rat agenttesla
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:	Microsoft Excel 2007+
MD5:	77C25F788EF53769BACE7EEDA30C2009
SHA1:	D6956D7AB4DF07C0025D0A5ED58A2A4F6D1C54F1
SHA256:	F44EE86652999164C7D40D90C97F924C2C0E8D500E342ED1EC4B9558571DBFF6
SSDEEP:	768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ

.xlsx	\|	Excel Microsoft Office Open XML Format document (61.2)
.zip	\|	Open Packaging Conventions container (31.5)
.zip	\|	ZIP compressed archive (7.2)

ZipRequiredVersion:	20
ZipBitFlag:	0x0002
ZipCompression:	Deflated
ZipModifyDate:	2019:03:13 23:44:18
ZipCRC:	0xf9b9528b
ZipCompressedSize:	425
ZipUncompressedSize:	1947
ZipFileName:	[Content_Types].xml

LastModifiedBy:	-
CreateDate:	2006:09:16 00:00:00Z
ModifyDate:	2019:03:04 04:41:20Z
Application:	Microsoft Excel
DocSecurity:	None
ScaleCrop:	No
HeadingPairs:	Worksheets 3
TitlesOfParts:	Sheet1 Sheet2 Sheet3
Company:	-
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	12


(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	v2$
Value: 7632240068060000010000000000000000000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:	write	Name:	MTTT
Value: 680600000EB4B89B6ADAD40100000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	delete value	Name:	v2$
Value: 7632240068060000010000000000000000000000
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	delete key	Name:
Value:
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:	delete key	Name:
Value:
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	EXCELFiles
Value: 1315831831
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1315831934
(PID) Process:	(1640) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVRFAF6.tmp.cvr		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E997D8B1.png		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\865586FE.png		—
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\Desktop\~$Paymentadvice.xlsx		—
		MD5:—	SHA256:—
2596	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\du[1].com		executable
		MD5:—	SHA256:—
3000	nbvcx.exe	C:\Users\admin\AppData\Local\Temp\~DF83CCBF87CC1F2FBF.TMP		binary
		MD5:—	SHA256:—
2312	nbvcx.exe	C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe		executable
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:—	SHA256:—
2596	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Temp\nbvcx.exe		executable
		MD5:—	SHA256:—
1640	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Paymentadvice.LNK		lnk
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2312	nbvcx.exe	GET	200	52.200.125.74:80	http://checkip.amazonaws.com/	US	text	16 b	malicious
2596	EQNEDT32.EXE	GET	200	204.93.161.26:80	http://simplex-express.com/zs/du.com	US	executable	970 Kb	suspicious

Domain	IP	Reputation
simplex-express.com	204.93.161.26	suspicious
smtp.tpczj.biz	208.91.199.223 208.91.199.225 208.91.198.143 208.91.199.224	malicious
checkip.amazonaws.com	52.200.125.74 34.196.82.108 34.233.102.38 18.233.42.138 52.0.208.170 52.202.139.131	malicious

PID	Process	Class	Message
2596	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2596	EQNEDT32.EXE	A Network Trojan was detected	ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2312	nbvcx.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2312	nbvcx.exe	A Network Trojan was detected	MALWARE [PTsecurity] AgentTesla IP Check
2312	nbvcx.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP

General Info

Paymentadvice.xlsx

77C25F788EF53769BACE7EEDA30C2009

D6956D7AB4DF07C0025D0A5ED58A2A4F6D1C54F1

F44EE86652999164C7D40D90C97F924C2C0E8D500E342ED1EC4B9558571DBFF6

768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Equation Editor starts application (CVE-2017-11882)

Suspicious connection from the Equation Editor

Downloads executable files from the Internet

Known privilege escalation attack

Changes the autorun value in the registry

Actions looks like stealing of personal data

Stealing of credential data

AGENTTESLA was detected

SUSPICIOUS

Executable content was dropped or overwritten

Application launched itself

Modifies the open verb of a shell class

Reads the machine GUID from the registry

Loads DLL from Mozilla Firefox

Checks for external IP

Connects to SMTP port

INFO

Reads Microsoft Office registry keys

Reads the machine GUID from the registry

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

XMP

XML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings