top title background image
flash

Customer-unionroadwaysltd-8754-PO.doc__.rtf

Status: finished
Submission Time: 2021-06-16 11:53:51 +02:00
Malicious
Trojan
Adware
Spyware
Exploiter
Evader
AgentTesla

Comments

Tags

  • rtf

Details

  • Analysis ID:
    435313
  • API (Web) ID:
    802908
  • Analysis Started:
    2021-06-16 12:04:00 +02:00
  • Analysis Finished:
    2021-06-16 12:24:53 +02:00
  • MD5:
    97021239d41dc5efd26c0c26e922f06f
  • SHA1:
    1b1faa516a3774fb55f2473b21c9a189fffad8f7
  • SHA256:
    32269783938f1e9c0b60f92653957b6cbe356a3bd47b5df970f7485c16d327cf
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 100
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

malicious
Score: 8/45
malicious

IPs

IP Country Detection
104.21.14.60
United States
41.231.5.212
Tunisia
172.67.158.27
United States
Click to see the 1 hidden entries
149.154.167.220
United Kingdom

Domains

Name IP Detection
apdocroto.gq
104.21.14.60
kf.carthage2s.com
41.231.5.212
api.telegram.org
149.154.167.220

URLs

Name Detection
http://kf.carthage2s.com/log.exe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-73850014335AB72CBE7866A38A201CD2.html
Click to see the 97 hidden entries
https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
https://felix.data.tm-awx.com/ampconfig.json"
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner
https://s2-prod.liverpool.com/
https://securepubads.g.doubleclick.net/tag/js/gpt.js
http://schema.org/BreadcrumbList
https://www.liverpool.com/schedule/
http://www.msnbc.com/news/ticker.txt
http://schema.org/NewsArticle
https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
http://www.piriform.com/ccleanerch.KS
https://www.liverpool.com/all-about/steven-gerrard
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
https://github.com/ded/script.js
https://reach-id.orbit.tm-awx.com/analytics.js.gz
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
http://investor.msn.com
https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
https://www.liverpool.com/all-about/transfers
https://www.liverpool.com/
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
https://www.liverpool.com/all-about/curtis-jones
http://www.%s.comPA
https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
https://www.liverpool.com/all-about/andrew-robertson
http://investor.msn.com/
https://felix.data.tm-awx.com
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
https://mab.data.tm-awx.com/rhs"
http://www.icra.org/vocabulary/.
https://www.liverpool.com/all-about/georginio-wijnaldum
http://schema.org/ListItem
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
https://www.liverpool.com/all-about/premier-league
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
http://www.windows.com/pctv.
https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
https://www.liverpool.com/liverpool-fc-news/
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
https://c.amazon-adsystem.com/aax2/apstag.js
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CC63E54262373453B19DBF613B3334DE.html
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
https://www.liverpool.com/all-about/champions-league
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
https://s2-prod.mirror.co.uk/
https://www.liverpool.com/all-about/ozan-kabak
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
https://felix.data.tm-awx.com/felix.min.js
https://i2-prod.liverpool.com
http://apdocroto.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-0B579F7D05D398DAB455F9EFDAAC3695.html
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
https://s2-prod.liverpool.com
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
https://reachplc.hub.loginradius.com"
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg

Dropped files

Name File Type Hashes Detection
C:\Windows\Resources\Themes\Aero\Shell\52V57U7\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\putty.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e888z168ybTRefC409a4S5mn41ofdd.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 44 hidden entries
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0QK4TR8N1W07LOKWR9XC.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1DH2GSWOM6DY7E4OBOTQ.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2LEBW47ZOWFLR8R4EIZW.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3H1367L1BDS7CTFGY5QN.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4CI4KFVKZ4NIIGS67BYA.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4P5DG6JLEIAKTTN7AFAM.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7B3GSZ6GYLYURCXR4C11.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8XFR1BD6SCYFQV1RQB28.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AVDRYM8FRBAWHHXBOBP2.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EEKQG9XN76H4OCBFUCNX.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F2WE7AF7Y6WB50ZC0FKB.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FCPAQPOU283AO764ZRGF.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HRCPZKAQJPHRKCJGAOB6.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J3LJ5ZTSD62CYZT7K57S.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L1K4Z3QAV8WJSJXBXXLF.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L5VVX7YYIMT7DW11Y4X5.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X19R6W5JAWN25N20PW1T.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YOS2534Q547WV8UUME7Q.temp
data
#
C:\Users\user\Desktop\~$stomer-unionroadwaysltd-8754-PO.doc__.rtf
data
#
C:\Users\user\AppData\Local\???????\svchost.exe_Url_tztrfnqkeoaulm4z0f1czqly5gz5z1e5\6.335.788.529\sa5tx1w3.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\???????\e888z168ybTRefC409a4S5mn4_Url_ieo3rlngguenrtc44nvfkbbdpgkldbzf\6.335.788.529\ja0nxwsp.newcfg
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\e888z168ybTRefC409a4S5mn4_Url_ieo3rlngguenrtc44nvfkbbdpgkldbzf\6.335.788.529\ke4dtirr.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\e888z168ybTRefC409a4S5mn4_Url_ieo3rlngguenrtc44nvfkbbdpgkldbzf\6.335.788.529\s3mmksle.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\putty.exe_Url_a432umoyl2wifeqy5t3vcvnb1e4x2jpz\6.335.788.529\hcyyqztm.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\putty.exe_Url_a432umoyl2wifeqy5t3vcvnb1e4x2jpz\6.335.788.529\prbqgl3p.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\putty.exe_Url_a432umoyl2wifeqy5t3vcvnb1e4x2jpz\6.335.788.529\rc35hw5q.newcfg
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\qweruiuyt.exe_Url_0ngtjqfiw0jkutchz3k00nzsx4lj0kaa\6.335.788.529\1twndtlb.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\qweruiuyt.exe_Url_0ngtjqfiw0jkutchz3k00nzsx4lj0kaa\6.335.788.529\dmfbrpnd.newcfg
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\qweruiuyt.exe_Url_0ngtjqfiw0jkutchz3k00nzsx4lj0kaa\6.335.788.529\hrwamgt1.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\???????\svchost.exe_Url_tztrfnqkeoaulm4z0f1czqly5gz5z1e5\6.335.788.529\jegb3fhw.newcfg
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0GRY02Z23PFQIE0RTMWR.temp
data
#
C:\Users\user\AppData\Local\???????\svchost.exe_Url_tztrfnqkeoaulm4z0f1czqly5gz5z1e5\6.335.788.529\xbx2gyqk.newcfg
UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24BA44F0-30CA-4646-ACFF-79FC9E14ADCB}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_e888z168ybTRefC4_b9b818d2ff86b34a32ed4c7ec54eba68defd6632_08edf3e1\Report.wer
data
#
C:\Users\user\AppData\Local\Temp\Cab4C4D.tmp
Microsoft Cabinet archive data, 60080 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar4C4E.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Customer-unionroadwaysltd-8754-PO.doc__.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Wed Jun 16 18:04:32 2021, length=1323327, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 60080 bytes, 1 file
#