flash

Doc2.xlsx

Status: finished
Submission Time: 22.07.2021 18:03:23
Malicious
Trojan
Exploiter
Evader
AgentTesla

Comments

Tags

  • VelvetSweatshop
  • xlsx

Details

  • Analysis ID:
    452692
  • API (Web) ID:
    820280
  • Analysis Started:
    22.07.2021 18:11:08
  • Analysis Finished:
    22.07.2021 18:25:29
  • MD5:
    7848697a2cff990710c69e8d97e55c13
  • SHA1:
    9af272f7dedd808c48b03d98d7eb75356b74f6ee
  • SHA256:
    ef17f47bcdb067d712661ddadff8ebee2924282c7fe21edd237e8094cc4ebdb0
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
13/46

malicious

IPs

IP Country Detection
185.26.106.194
France
185.26.106.165
France

Domains

Name IP Detection
mail.spamora.net
185.26.106.194
arkemagrup.com
185.26.106.165

URLs

Name Detection
http://arkemagrup.com/Doc_87654334567.exe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
http://127.0.0.1:HTTP/1.1
Click to see the 22 hidden entries
http://DynDns.comDynDNS
https://sectigo.com/CPS0
http://crl.entrust.net/server1.crl0
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
http://ocsp.entrust.net03
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.diginotar.nl/cps/pkioverheid0
https://login.blockchain.com/ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicro
http://ocsp.sectigo.com0%
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
https://login.blockchain.com/HD?m
https://api.ipify.org%GETMozilla/5.0
http://mail.spamora.net
http://www.%s.comPA
http://ocsp.entrust.net0D
http://BGwprh.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://secure.comodo.com/CPS0
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
http://servername/isapibackend.dll
http://crl.entrust.net/2048ca.crl0

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tmpB2BC.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 25 hidden entries
C:\Users\user\AppData\Roaming\WzyRXCWtdGSdEA.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\Desktop\~$Doc2.xlsx
data
#
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61020 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3593FE9D.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38D6D8CE.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AAF8EAF.png
PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E649BE6.jpeg
[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BA4E7B3.png
PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8762AF39.png
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D4B7BFA.jpeg
[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9691677.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAE88E0C.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC2C1618.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4E71.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4EA1.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4EA2.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF96C.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF96D.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF96E.tmp
PC bitmap, Windows 3.x format, 20 x 20 x 24
#
C:\Users\user\AppData\Local\Temp\Cab6E6E.tmp
Microsoft Cabinet archive data, 61020 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar6E6F.tmp
data
#
C:\Users\user\AppData\Local\Temp\tmp74F2.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmp7511.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#