33.0.0 White Diamond
IR
502705
CloudBasic
10:34:10
14/10/2021
PO141021.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
9095b4b704c9f1ef75cc683b57e1f207
d88b99fc3fff5eac59d7fedd136fd467f1c17106
10df15707ce5a8b457ebccab5f4a5c3b2548ea755bc11666f5601583677f17b5
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe
true
D1BAA9515F4C67A7B561938BBD81BC75
E83E455F636443C9F62D8C480FF060F7BB6DE3BE
1FAC59451F582122CB2E5787E3A936A3001081DE3469E168207DA1A357DF691D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0008E59B-A89A-4382-AC7E-24705A8EB889}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{773917BE-1BC4-4D2D-91B8-39B324F718F3}.tmp
false
6F3F057D88CECCF9A365CA5B6DEA867A
359FF3E3FCF0B92D4F8703ECCACF2FF20437ED40
78F1AFC66317FD0069BD6E39ABAC20B93CBC7DB466DD7BB4628AA5A721B899F9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7764CFCD-FF48-436A-A353-8D268E618EA5}.tmp
false
668274F9187FAC2D76E23525BEF15CD1
B6A89CC80F72A923F0E9C817976863E1182495E5
70913B160A34D6E68EAB50D1FE24F466A668F6EDC2D3B9E35B308E50F7AAF1DD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO141021.LNK
false
C1B5713041A6C948DC8B4A7D9347B92D
5DC78C646C15F9173BF769CB7973916A96D88029
B060578DF0D1005651F035FA0CBB390A2B7596790945F237091BC1FD135FE479
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
2A3D3B1490094BBA3C4AA5F1C810C0C8
62C2A898F16EAD12ACA0081FEB6BCB79EB1EC63A
2133D7D2965CD863483469424A4235047458225E9E4A928C4DC78AA572256001
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\godsawqop.exe
true
D1BAA9515F4C67A7B561938BBD81BC75
E83E455F636443C9F62D8C480FF060F7BB6DE3BE
1FAC59451F582122CB2E5787E3A936A3001081DE3469E168207DA1A357DF691D
C:\Users\user\Desktop\~$141021.doc
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
149.154.167.220
95.216.94.72
milkhost.ru
true
95.216.94.72
api.telegram.org
false
149.154.167.220
Found malware configuration
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Yara detected Telegram RAT
Yara detected AgentTesla
Uses the Telegram API (likely for C&C communication)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Sigma detected: Droppers Exploiting CVE-2017-11882
Office equation editor drops PE file
Machine Learning detection for dropped file
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)