Try VMRay Platform
Malicious
Classifications

Injector Exploit Keylogger Spyware +1

Threat Names

AgentTesla AgentTesla.v3 Mal/HTMLGen-A Mal/Generic-S

Dynamic Analysis Report

Created on 2022-08-05T10:56:24+00:00

831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx

Excel Document
...
Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx Sample File Excel Document
Malicious
...
»
MIME Type application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File Size 2.69 MB
MD5 d0cd467a481799f5dc06a498e24ff4ad Copy to Clipboard
SHA1 da919b490b8192eab7c577b4a85337d09eb56a9e Copy to Clipboard
SHA256 831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c Copy to Clipboard
SSDeep 49152:4yFhEeXk7Vs4O7VhPiiw176tK5fpiB+VkAT5H0T9DpZvlfp+INtJz:4uXmijhhPDwNgiBiBuTG1lx+IN3 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
Office Information
»
Creator Marcus Egharevba
Last Modified By Marcus Egharevba
Create Time 2022-07-27 00:32 (UTC+2)
Modify Time 2022-07-27 04:01 (UTC+2)
Detected CVEs CVE-2017-11882
Application Microsoft Excel
App Version 12.0000
Document Security NONE
Worksheets 3
Titles Of Parts Sheet1, Sheet2, Sheet3
ScaleCrop False
SharedDoc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{0002CE02-0000-0000-C000-000000000046} Equation2 CVE-2017-11882
Extracted Image Texts (1)
»
Image #1: image1.png
»
trror @ vistie ype is nor sups
3cdf585582fd700e93ed92a047164e75dd9c566077f6a8439cb22bcda6eaa1e0 Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 209.00 KB
MD5 b70eae7dcad1bf8bc8efb0cdae14233d Copy to Clipboard
SHA1 c6410cc3db54d7be49b3a36fea07a47a6787e253 Copy to Clipboard
SHA256 3cdf585582fd700e93ed92a047164e75dd9c566077f6a8439cb22bcda6eaa1e0 Copy to Clipboard
SSDeep 3072:AKU2/+gFlT/0uTSs5mqUKlHCUn97Wp3YJa12IfSejUetm5M0tDF0M2HGhM9sQ:dUER/5shUn97Wp3JKcU1ykM Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00435BCE
Size Of Code 0x00033C00
Size Of Initialized Data 0x00000600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-07-25 10:30 (UTC+2)
Version Information (7)
»
FileDescription
FileVersion 0.0.0.0
InternalName loLdHEIAhTdXVEolZcxBYxddUIzGx.exe
LegalCopyright
OriginalFilename loLdHEIAhTdXVEolZcxBYxddUIzGx.exe
ProductVersion 0.0.0.0
Assembly Version 0.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x00033BD4 0x00033C00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.07
.rsrc 0x00436000 0x000002F8 0x00000400 0x00033E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.51
.reloc 0x00438000 0x0000000C 0x00000200 0x00034200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x00035BA0 0x00033DA0 0x00000000
C:\Users\RDhJ0CNFevzX\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe Downloaded File Binary
Malicious
...
»
Also Known As c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\rphr8qg5\qgtgx[1].exe (Downloaded File, Extracted File)
MIME Type application/vnd.microsoft.portable-executable
File Size 8.50 KB
MD5 6d370555d43f89189867fd72222c6059 Copy to Clipboard
SHA1 79505977a7b45050a45bc4b715b21df8f49aa3f1 Copy to Clipboard
SHA256 41bf0e9b141cb3541ce14ca9de7f606fd30c20e02ce95936f41fb728bd6c2232 Copy to Clipboard
SSDeep 96:5PM1Y6CB0C0st2AbUCAb17mF3lIpDXHo2rbwCiCeQhULtgAwsMIkGTp9rQEkrGi4:SAT0st2MUQIN42rSCekUL+VtvC Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004037DE
Size Of Code 0x00001800
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-07-31 15:48 (UTC+2)
Version Information (8)
»
Comments System.Activities
FileDescription System.Activities
FileVersion 1.0.0.0
InternalName System.Activities.exe
LegalCopyright System.Activities Copyright © 2018
OriginalFilename System.Activities.exe
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000017E4 0x00001800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.29
.rsrc 0x00404000 0x000005A0 0x00000600 0x00001A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.04
.reloc 0x00406000 0x0000000C 0x00000200 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x000037AC 0x000019AC 0x00000000
Memory Dumps (6)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe 3 0x00400000 0x00407FFF Relevant Image False 32-bit - False
...
buffer 3 0x0435E000 0x0435FFFF First Network Behavior False 32-bit - False
...
buffer 3 0x00199000 0x0019FFFF First Network Behavior False 32-bit - False
...
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe 3 0x00400000 0x00407FFF First Network Behavior False 32-bit - False
...
buffer 3 0x046D0000 0x046E5FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe 3 0x00400000 0x00407FFF Process Termination False 32-bit - False
...
a3c9a7a1cdec5c9d295110e47dc2bb0298b736d3450b11d64391a927f3dfd537 Downloaded File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 85.00 KB
MD5 2851da4de93a5c4b08e7da2826112280 Copy to Clipboard
SHA1 eb8928863de42f9adf07b8d24c2f592006d41f7d Copy to Clipboard
SHA256 a3c9a7a1cdec5c9d295110e47dc2bb0298b736d3450b11d64391a927f3dfd537 Copy to Clipboard
SSDeep 1536:AglbFJYneGYDdTrryH/2NiutP+z/cQ6zJTrO:Ag8eRFm2N7tP+bcQ6zJTC Copy to Clipboard
ImpHash dae02f32a21e03ce65412f6e56942daa Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0041415E
Size Of Code 0x00012200
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-07-30 17:27 (UTC+2)
Version Information (8)
»
FileDescription StartupNextInstanceEventArgs
FileVersion 1.0.0.0
InternalName StartupNextInstanceEventArgs.dll
LegalCopyright Copyright © 2022
OriginalFilename StartupNextInstanceEventArgs.dll
ProductName StartupNextInstanceEventArgs
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x00012164 0x00012200 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.51
.rsrc 0x00416000 0x00002CB4 0x00002E00 0x00012400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.07
.reloc 0x0041A000 0x0000000C 0x00000200 0x00015200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorDllMain - 0x00402000 0x00014138 0x00012338 0x00000000
a88a085369275032efda07d3ad2e49bda80a25fd5263bb1571d28465d2b0986c Downloaded File Unknown
Clean
...
»
MIME Type application/json
File Size 649 Bytes
MD5 82f3991f43bb7b4b97cd43746c9ba170 Copy to Clipboard
SHA1 6f7205ab61044df7c1dad5ca49a8488c0f2ed03f Copy to Clipboard
SHA256 a88a085369275032efda07d3ad2e49bda80a25fd5263bb1571d28465d2b0986c Copy to Clipboard
SSDeep 12:YKOHu/PipRUcZNJa3hckQGNqfcaGYuHCa50TSnbhGD3yzzinHHzxFE6l5V:YKOHPzjzJaMRhtcCa5PnK3gzUxFEO5V Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
dbSYXB9S.Pu6cL Extracted File OLE Compound
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx
MIME Type application/CDFV2
File Size 2.89 MB
MD5 af3daa7f28920aae1312efa2083d8dca Copy to Clipboard
SHA1 ce331abe7036066df7375a1652341ae018984013 Copy to Clipboard
SHA256 02ea45ab816d1a7a04b5a026fb0303130a3ae47be3da47a9f67effb071015259 Copy to Clipboard
SSDeep 49152:f8FV0eZgdVw4+Vxhhi2Ot72Fab9pQTyPOIVzpAtdDHZvZGFapZh:fMZkSt/hhZO12IfQT6VyH Copy to Clipboard
ImpHash -
Office Information
»
Controls (1)
»
CLSID Control Name Associated Vulnerability
{0002CE02-0000-0000-C000-000000000046} Equation2 CVE-2017-11882
CFB Streams (2)
»
Name ID Size Actions
Root\vd4Gf9eRaIg9JoI2jb8EGtk 1 0 Bytes -
Root\oLE10nATivE 2 2.87 MB
...
07a1fc33a407e2501619398a477d2eae23a3c1739113171f566c0140c898116f Extracted File Stream
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx
MIME Type application/octet-stream
File Size 2.87 MB
MD5 1cc67b77c14774433eb3617d29f1cc2c Copy to Clipboard
SHA1 e73f4c7cbec147788a0f55974dac879fef8ee070 Copy to Clipboard
SHA256 07a1fc33a407e2501619398a477d2eae23a3c1739113171f566c0140c898116f Copy to Clipboard
SSDeep 49152:q8FV0eZgdVw4+Vxhhi2Ot72Fab9pQTyPOIVzpAtdDHZvZGFapZhH:qMZkSt/hhZO12IfQT6VyH9 Copy to Clipboard
ImpHash -
image1.png Extracted File Image
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c.xlsx
MIME Type image/png
File Size 8.02 KB
MD5 a9ca5ee503b10e01be979f0843a1f65f Copy to Clipboard
SHA1 52e1fffbda428bd216ae62586e39ac1c20fc25c5 Copy to Clipboard
SHA256 653f8662e65e224b05605b256bb4f6de5f29f2b155dc4477635b8e43024503e4 Copy to Clipboard
SSDeep 192:kls9+/gQllKX6BrlzeHQbj4D24m1hcfxCEKSPALL78koM:kls9+NllKX6BhSH0j4Dxm1CfEEKSPA/T Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image