flash

Futuroso New Order.xlsx

Status: finished
Submission Time: 29.05.2020 13:38:19
Malicious
Trojan
Exploiter
Evader
AgentTesla

Comments

Tags

Details

  • Analysis ID:
    234173
  • API (Web) ID:
    364495
  • Analysis Started:
    29.05.2020 13:38:20
  • Analysis Finished:
    29.05.2020 13:46:39
  • MD5:
    c644ce0ba7cdcbe21a1b666a66d59a94
  • SHA1:
    9d9cf2e1223f8f0484daa16f988fa0b0400fb032
  • SHA256:
    145e698bcce7e4360e752f2c7d4c16134243938212f67c88014b787b1009a448
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)

malicious
100/100

malicious
21/72

malicious
23/31

malicious

malicious

IPs

IP Country Detection
107.173.219.40
United States

Domains

Name IP Detection
systemsecureserverprotocolgooglegood.duckdns.org
107.173.219.40

URLs

Name Detection
http://systemsecureserverprotocolgooglegood.duckdns.org/bg/
http://systemsecureserverprotocolgooglegood.duckdns.org/bg/invoice.doc
http://systemsecureserverprotocolgooglegood.duckdns.org/bg/vbc.exe

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\bg on systemsecureserverprotocolgooglegood.duckdns.org.url
MS Windows 95 Internet shortcut text (URL=<http://systemsecureserverprotocolgooglegood.duckdns.org/bg/>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netsh.url
MS Windows 95 Internet shortcut text (URL=<file:///C:/Users/user/netsh/netsh.vbs>), ASCII text, with CR line terminators
#
C:\Users\user\AppData\Roaming\vbc.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 31 hidden entries
C:\Users\user\Desktop\~$Futuroso New Order.xlsx
data
#
C:\Users\user\netsh\AcGenral.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A5U8YKW2\vbc[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0003.docm
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RO0000.doc
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0004.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc
Microsoft Word 2007+
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{219D7262-8DE4-4C1D-916B-0E23C41B1A4B}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DBA2E285-776E-4F15-9F39-4803B8D00ABE}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFB975B2-53BE-4685-A0BE-009036C1FF2C}.tmp
data
#
C:\Users\user\AppData\Local\Temp\{6D8A0A5F-CEBD-4B95-A01F-EB82C01D458B}
data
#
C:\Users\user\AppData\Local\Temp\{CD847F1E-3E15-4086-8D03-74B7ED7FCA1A}
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice.doc.url
MS Windows 95 Internet shortcut text (URL=<http://systemsecureserverprotocolgooglegood.duckdns.org/bg/invoice.doc>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\07630000
data
#
C:\Users\user\Desktop\07630000:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\netsh\netsh.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{159CDB2A-0609-4239-991A-0CD5DF851025}.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F2C3B083-12E4-47F3-952B-19F35D0C5D78}.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X38UWNX5\invoice[1].doc
Rich Text Format data, version 1, unknown character set
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\580F8C92.jpeg
[TIFF image data, big-endian, direntries=1], baseline, precision 8, 965x543, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84AF2B18.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD68C039.jpeg
gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D7BC10B3.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9290395.doc
Rich Text Format data, version 1, unknown character set
#