Malicious
Classifications
Injector Exploit Keylogger Spyware +1
Threat Names
AgentTesla AgentTesla.v3 Mal/HTMLGen-A Mal/Generic-S
Dynamic Analysis Report
Created on 2022-08-05T10:56:24+00:00
831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx
Excel Document
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx | Sample File | Excel Document |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
Office Information
»
Creator | Marcus Egharevba |
Last Modified By | Marcus Egharevba |
Create Time | 2022-07-27 00:32 (UTC+2) |
Modify Time | 2022-07-27 04:01 (UTC+2) |
Detected CVEs | CVE-2017-11882 |
Application | Microsoft Excel |
App Version | 12.0000 |
Document Security | NONE |
Worksheets | 3 |
Titles Of Parts | Sheet1, Sheet2, Sheet3 |
ScaleCrop | False |
SharedDoc | False |
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{0002CE02-0000-0000-C000-000000000046} | Equation2 | CVE-2017-11882 |
Extracted Image Texts (1)
»
Image #1:
image1.png
»
trror @ vistie ype is nor sups
|
3cdf585582fd700e93ed92a047164e75dd9c566077f6a8439cb22bcda6eaa1e0 | Downloaded File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x00435BCE |
Size Of Code | 0x00033C00 |
Size Of Initialized Data | 0x00000600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-07-25 10:30 (UTC+2) |
Version Information (7)
»
FileDescription | |
FileVersion | 0.0.0.0 |
InternalName | loLdHEIAhTdXVEolZcxBYxddUIzGx.exe |
LegalCopyright | |
OriginalFilename | loLdHEIAhTdXVEolZcxBYxddUIzGx.exe |
ProductVersion | 0.0.0.0 |
Assembly Version | 0.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00033BD4 | 0x00033C00 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.07 |
.rsrc | 0x00436000 | 0x000002F8 | 0x00000400 | 0x00033E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.51 |
.reloc | 0x00438000 | 0x0000000C | 0x00000200 | 0x00034200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00035BA0 | 0x00033DA0 | 0x00000000 |
C:\Users\RDhJ0CNFevzX\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe | Downloaded File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x004037DE |
Size Of Code | 0x00001800 |
Size Of Initialized Data | 0x00000800 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-07-31 15:48 (UTC+2) |
Version Information (8)
»
Comments | System.Activities |
FileDescription | System.Activities |
FileVersion | 1.0.0.0 |
InternalName | System.Activities.exe |
LegalCopyright | System.Activities Copyright © 2018 |
OriginalFilename | System.Activities.exe |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x000017E4 | 0x00001800 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.29 |
.rsrc | 0x00404000 | 0x000005A0 | 0x00000600 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.04 |
.reloc | 0x00406000 | 0x0000000C | 0x00000200 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.08 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x000037AC | 0x000019AC | 0x00000000 |
Memory Dumps (6)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe | 3 | 0x00400000 | 0x00407FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 3 | 0x0435E000 | 0x0435FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 3 | 0x00199000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe | 3 | 0x00400000 | 0x00407FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 3 | 0x046D0000 | 0x046E5FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe | 3 | 0x00400000 | 0x00407FFF | Process Termination | 32-bit | - |
...
|
a3c9a7a1cdec5c9d295110e47dc2bb0298b736d3450b11d64391a927f3dfd537 | Downloaded File | Binary |
Clean
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0041415E |
Size Of Code | 0x00012200 |
Size Of Initialized Data | 0x00003000 |
File Type | IMAGE_FILE_DLL |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-07-30 17:27 (UTC+2) |
Version Information (8)
»
FileDescription | StartupNextInstanceEventArgs |
FileVersion | 1.0.0.0 |
InternalName | StartupNextInstanceEventArgs.dll |
LegalCopyright | Copyright © 2022 |
OriginalFilename | StartupNextInstanceEventArgs.dll |
ProductName | StartupNextInstanceEventArgs |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00012164 | 0x00012200 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.51 |
.rsrc | 0x00416000 | 0x00002CB4 | 0x00002E00 | 0x00012400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.07 |
.reloc | 0x0041A000 | 0x0000000C | 0x00000200 | 0x00015200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorDllMain | - | 0x00402000 | 0x00014138 | 0x00012338 | 0x00000000 |
a88a085369275032efda07d3ad2e49bda80a25fd5263bb1571d28465d2b0986c | Downloaded File | Unknown |
Clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
Clean
|
...
|
»
dbSYXB9S.Pu6cL | Extracted File | OLE Compound |
Clean
|
...
|
»
Office Information
»
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{0002CE02-0000-0000-C000-000000000046} | Equation2 | CVE-2017-11882 |
CFB Streams (2)
»
Name | ID | Size | Actions |
---|---|---|---|
Root\vd4Gf9eRaIg9JoI2jb8EGtk | 1 | 0 Bytes | - |
Root\oLE10nATivE | 2 | 2.87 MB |
...
|
07a1fc33a407e2501619398a477d2eae23a3c1739113171f566c0140c898116f | Extracted File | Stream |
Clean
|
»