File name:

0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9

Full analysis: https://app.any.run/tasks/abc8cabd-a2d1-46a5-a256-a7cd8278d262
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: January 10, 2025, 21:00:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
exfiltration
smtp
stealer
agenttesla
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

A4ACA3A3F0ED567D0BE602F90F230ABE

SHA1:

EA658B1610542D078B4A6594C4CDBF4DB4ACC38F

SHA256:

0797ECE0FC2A16BD36C4B921F3E7828F4CEC603CC37ED7F708EA4F56BDF4D9F9

SSDEEP:

49152:AHlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZC:RAGQX21RBt7QjTmcaTH/vU4do9Pcjq13

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 556)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 556)
    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 556)
  • SUSPICIOUS

    • Connects to SMTP port

      • RegSvcs.exe (PID: 556)
    • The process connected to a server suspected of theft

      • RegSvcs.exe (PID: 556)
  • INFO

    • Reads mouse settings

      • 0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe (PID: 5828)
    • Checks supported languages

      • 0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe (PID: 5828)
      • RegSvcs.exe (PID: 556)
    • The sample compiled with english language support

      • 0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe (PID: 5828)
    • Reads the computer name

      • RegSvcs.exe (PID: 556)
    • Create files in a temporary directory

      • 0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe (PID: 5828)
    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 556)
    • Reads the software policy settings

      • RegSvcs.exe (PID: 556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 459776
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:10 11:38:57+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe 0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe no specs #AGENTTESLA regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5828"C:\Users\admin\AppData\Local\Temp\0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe" C:\Users\admin\AppData\Local\Temp\0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
556"C:\Users\admin\AppData\Local\Temp\0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
0797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 082
Read events
1 082
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
58280797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exeC:\Users\admin\AppData\Local\Temp\underbalancedbinary
MD5:258A70A3EF73FF6E4242D57BF6849EBC
SHA256:8EC54EB13E7BDA09DD635D4DDDEFE265D61E19F1C77EE71973E79EC37A1C3E08
58280797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exeC:\Users\admin\AppData\Local\Temp\aut611E.tmpbinary
MD5:E367AF197B3C9F076699941C8572CFB8
SHA256:6419A3199F2AA60DC06CA2799A11C480423AA7C93C9462826F94DD4FE87CF423
58280797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exeC:\Users\admin\AppData\Local\Temp\aut613F.tmpbinary
MD5:411760EEE843BAFAADEAE38AB535E190
SHA256:19DC5F7694B8EEF1C54DF2AF24C4539D33AEC28D7D2873A06113866789D42F16
58280797ece0fc2a16bd36c4b921f3e7828f4cec603cc37ed7f708ea4f56bdf4d9f9.exeC:\Users\admin\AppData\Local\Temp\inhumationtext
MD5:0C16D6C428C08E75F047B1F6BECE9602
SHA256:2A3FEA6A0DBFEE0F64F74D1D76D3F98C1545451F26B3396733ECA5CE9C9FDEFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2548
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2548
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1412
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1296
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
556
RegSvcs.exe
185.174.175.187:587
cp8nl.hyperhost.ua
ITL LLC
UA
malicious
1296
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cp8nl.hyperhost.ua
  • 185.174.175.187
malicious
login.live.com
  • 20.190.160.14
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via SMTP
No debug info