File name: | tesv.exe |
Full analysis: | https://app.any.run/tasks/795b744a-b3f0-4579-bf24-3f6305bb835e |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 05, 2022, 21:20:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 2F31C58A5DCC9C95E02D4C69579F84CE |
SHA1: | C804F89594E1C5F3DDEB354D95FF51846EF0117D |
SHA256: | 04F981DEF642B739EC533F952D079E85E6BC2E69EF3DD85FEE944ADB86B4C7A1 |
SSDEEP: | 3072:RnTTzixN8mLBBWWcgU1GVhOKTpiCAVFRBm32WPcVybx0zEKzIV:5+3LBgWcgU1CQKSRBm32WPcVybx2E |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 21:04:56 |
FileDescription: | - |
FileVersion: | 1.1.1.1 |
InternalName: | cd90d2ef-2f33-4752-a173-a004778f0225.exe |
LegalCopyright: | - |
OriginalFilename: | cd90d2ef-2f33-4752-a173-a004778f0225.exe |
ProductVersion: | 1.1.1.1 |
Assembly Version: | 1.1.1.1 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Dec-05 21:04:56 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 160596 | 160768 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.05139 |
.rsrc | 172032 | 1360 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.01786 |
.reloc | 180224 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.39672 | 700 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1592 | "C:\Users\admin\AppData\Local\Temp\tesv.exe" | C:\Users\admin\AppData\Local\Temp\tesv.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Version: 1.1.1.1 Modules
|
(PID) Process: | (1592) tesv.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1592 | tesv.exe | 77.88.21.158:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1592 | tesv.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |