File name: | fca1ffb54cfcea915591ea6961e31e6b0e708ee00adf36261c3e7fd64105ee4d |
Full analysis: | https://app.any.run/tasks/7a6b927a-b99b-4071-a9d9-1ad9097c722d |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 18, 2019, 00:04:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 84100DE54CE687A798728B9D5391DF1E |
SHA1: | 99C1F34B5B5767CEEDFFEE1ADC793D96C8C7D4EB |
SHA256: | FCA1FFB54CFCEA915591EA6961E31E6B0E708EE00ADF36261C3E7FD64105EE4D |
SSDEEP: | 48:cz22R3KMdINOzmuhzMWRoj4l061yYg4Ujcsl9+s3FrvbooJc8EPCBYKFrS7Ajkb0:c62R3KMdINmoE061Lb2qUyKdW6zRAP0 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\fca1ffb54cfcea915591ea6961e31e6b0e708ee00adf36261c3e7fd64105ee4d.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3404 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3060 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3564 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | malik.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAD18.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3564 | malik.exe | C:\Users\admin\AppData\Local\Temp\636990088051267500_3b9b5b15-7663-4c97-9c18-ea3c3b3e8063.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:80731A77B5409EB0E6949CC2F9FAB153 | SHA256:B14F1A55B91690F74AD14EFBF6E5D36310285FA178EB545A2A41611C03A1B260 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$a1ffb54cfcea915591ea6961e31e6b0e708ee00adf36261c3e7fd64105ee4d.rtf | pgc | |
MD5:AD134A219D27E64EC403C7E6518C4B45 | SHA256:450382F296A1AF30B1D431FD4B4850FA2FDC6B6B779ECA1FAF533F4A8D9B0C32 | |||
3404 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jj[1].exe | executable | |
MD5:BDF2F7889FB0F8D2D3C073741D9AA18F | SHA256:7DBF7EB5A40B1CE5366B4134E6595ED5CBA14011BDD61171BFA741FD96BB8F06 | |||
3404 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\malik.exe | executable | |
MD5:BDF2F7889FB0F8D2D3C073741D9AA18F | SHA256:7DBF7EB5A40B1CE5366B4134E6595ED5CBA14011BDD61171BFA741FD96BB8F06 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3564 | malik.exe | GET | 200 | 52.6.79.229:80 | http://checkip.amazonaws.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3564 | malik.exe | 52.6.79.229:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3564 | malik.exe | 43.225.55.205:587 | mail.hindlab.com | PDR | AE | malicious |
3404 | EQNEDT32.EXE | 104.168.167.87:80 | lectual.net | Hostwinds LLC. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
lectual.net |
| suspicious |
mail.hindlab.com |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3404 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3404 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3564 | malik.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3564 | malik.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |