Edit tour
Windows
Analysis Report
Order Request1_5_24.xlam.xlsx
Overview
General Information
Detection
AgentTesla, PureLog Stealer, RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 2308 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - EQNEDT32.EXE (PID: 2060 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - OIU.exe (PID: 1996 cmdline:
C:\Users\u ser\AppDat a\Roaming\ OIU.exe MD5: 158C5C0367C262694F3C44AE85B891B6) - RegSvcs.exe (PID: 2072 cmdline:
C:\Users\u ser\AppDat a\Roaming\ OIU.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC) - OIU.exe (PID: 1100 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6) - RegSvcs.exe (PID: 2760 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC) - OIU.exe (PID: 1016 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6) - RegSvcs.exe (PID: 536 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC) - OIU.exe (PID: 2356 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6) - RegSvcs.exe (PID: 2216 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC) - OIU.exe (PID: 1376 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6) - RegSvcs.exe (PID: 2220 cmdline:
"C:\Users\ user\AppDa ta\Roaming \OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
- chrome.exe (PID: 2640 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --start- maximized --single-a rgument ht tp:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 1776 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=143 2 --field- trial-hand le=1256,i, 7674118080 207217716, 3458138178 017285583, 131072 --d isable-fea tures=Opti mizationGu ideModelDo wnloading, Optimizati onHints,Op timization HintsFetch ing,Optimi zationTarg etPredicti on /prefet ch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- chrome.exe (PID: 3864 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --start- maximized --single-a rgument ht tp:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED) - chrome.exe (PID: 4020 cmdline:
"C:\Progra m Files (x 86)\Google \Chrome\Ap plication\ chrome.exe " --type=u tility --u tility-sub -type=netw ork.mojom. NetworkSer vice --lan g=en-US -- service-sa ndbox-type =none --mo jo-platfor m-channel- handle=144 0 --field- trial-hand le=1200,i, 5669568352 595894290, 4267387126 016238941, 131072 --d isable-fea tures=Opti mizationGu ideModelDo wnloading, Optimizati onHints,Op timization HintsFetch ing,Optimi zationTarg etPredicti on /prefet ch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverizu09@kino2.top", "Password": " XY%R[udi4U]= "}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 65 entries |
Exploits |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Jason Lynch: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Exploits |
---|
Source: | Network connect: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_00C0DBBE | |
Source: | Code function: | 3_2_00BDC2A2 | |
Source: | Code function: | 3_2_00C168EE | |
Source: | Code function: | 3_2_00C1698F | |
Source: | Code function: | 3_2_00C0D076 | |
Source: | Code function: | 3_2_00C0D3A9 | |
Source: | Code function: | 3_2_00C19642 | |
Source: | Code function: | 3_2_00C1979D | |
Source: | Code function: | 3_2_00C19B2B | |
Source: | Code function: | 3_2_00C15C97 |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | Code function: | 2_2_035206C1 | |
Source: | Code function: | 2_2_03520661 | |
Source: | Code function: | 2_2_03520867 | |
Source: | Code function: | 2_2_0352070D | |
Source: | Code function: | 2_2_035207B4 | |
Source: | Code function: | 2_2_0352062A | |
Source: | Code function: | 2_2_03520729 | |
Source: | Code function: | 2_2_0352075A | |
Source: | Code function: | 2_2_035205DE | |
Source: | Code function: | 2_2_03520776 | |
Source: | Code function: | 2_2_03520617 | |
Source: | Code function: | 2_2_0352079A | |
Source: | Code function: | 2_2_0352059B | |
Source: | Code function: | 2_2_03520582 | |
Source: | Code function: | 2_2_03520887 | |
Source: | Code function: | 2_2_035205B7 |
Source: | HTTP traffic detected: |