Loading ...

Play interactive tourEdit tour

Analysis Report Allignright_companyprofile.doc

Overview

General Information

Sample Name:Allignright_companyprofile.doc
Analysis ID:404236
MD5:5a0c6dd1f7bbc5272f2ced270e2d4d8a
SHA1:9f553e08793745277db8a0d3aa82a63b7526a28b
SHA256:fbc12470553e748b10dd0e1a15c6e28a1e777b626757349e46031f7e0608b8e6
Tags:AgentTesladoc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Non Interactive PowerShell
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification