File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/f87ad37f-1698-4693-b801-e5794a4552d8 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 18, 2019, 00:32:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 84100DE54CE687A798728B9D5391DF1E |
SHA1: | 99C1F34B5B5767CEEDFFEE1ADC793D96C8C7D4EB |
SHA256: | FCA1FFB54CFCEA915591EA6961E31E6B0E708EE00ADF36261C3E7FD64105EE4D |
SSDEEP: | 48:cz22R3KMdINOzmuhzMWRoj4l061yYg4Ujcsl9+s3FrvbooJc8EPCBYKFrS7Ajkb0:c62R3KMdINmoE061Lb2qUyKdW6zRAP0 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3504 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3612 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3488 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1516 | "C:\Users\admin\AppData\Roaming\malik.exe" | C:\Users\admin\AppData\Roaming\malik.exe | malik.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3504 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD0CD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3504 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4187E45F88BEE3ED994CA0ACD3262D14 | SHA256:6E29E07CB90BB52E1D55C8DB6BAFCD2BC90DC2AC6A36EE2FC5E94EC85118CAC0 | |||
3504 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.doc | pgc | |
MD5:E3D96E17C4BA81FBDB153D915DA990EC | SHA256:084310BAA543CB80C8368D411CF6159994825D1CD4455F443BC9C3C49615D342 | |||
1516 | malik.exe | C:\Users\admin\AppData\Local\Temp\636990103728786250_833d70bd-3707-4dba-b90b-35702abb7353.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3612 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\malik.exe | executable | |
MD5:BDF2F7889FB0F8D2D3C073741D9AA18F | SHA256:7DBF7EB5A40B1CE5366B4134E6595ED5CBA14011BDD61171BFA741FD96BB8F06 | |||
3612 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jj[1].exe | executable | |
MD5:BDF2F7889FB0F8D2D3C073741D9AA18F | SHA256:7DBF7EB5A40B1CE5366B4134E6595ED5CBA14011BDD61171BFA741FD96BB8F06 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3612 | EQNEDT32.EXE | GET | 200 | 104.168.167.87:80 | http://lectual.net/jj/jj.exe | US | executable | 1.01 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1516 | malik.exe | 43.225.55.205:587 | mail.hindlab.com | PDR | AE | malicious |
3612 | EQNEDT32.EXE | 104.168.167.87:80 | lectual.net | Hostwinds LLC. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
lectual.net |
| suspicious |
mail.hindlab.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3612 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3612 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1516 | malik.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |