File name:

Revised invoice.exe

Full analysis: https://app.any.run/tasks/fbaade2c-ab6b-4316-90c2-356a157d9c09
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: June 07, 2024, 08:56:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
agenttesla
exfiltration
smtp
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BBF053237D91844A971521DAB438F529

SHA1:

6D281685B802068A7F43E4950A5DBF1F5EF0CDF5

SHA256:

0FD8DA5D6FB04B52CFBC2074C9D5382A7B10AB501913B61E31408A2AA16A02E0

SSDEEP:

49152:K6WNkebmEFhOHGo4uh68QqyxBXSCXPGms1lw3F0YmKDSd0ujsE58Vq84wE8hnHka:l4kEm2O0uh68QqoBXSCXPGms1lw3F0YJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Revised invoice.exe (PID: 3984)
      • RegSvcs.exe (PID: 4032)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 4032)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 4032)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 4032)

    • AGENTTESLA has been detected (SURICATA)

      • RegSvcs.exe (PID: 4032)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 4032)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 4032)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 4032)

    • Executable content was dropped or overwritten

      • RegSvcs.exe (PID: 4032)

    • Accesses Microsoft Outlook profiles

      • RegSvcs.exe (PID: 4032)

    • The process connected to a server suspected of theft

      • RegSvcs.exe (PID: 4032)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 4032)

    • Contacting a server suspected of hosting an CnC

      • RegSvcs.exe (PID: 4032)

  • INFO

    • Reads mouse settings

      • Revised invoice.exe (PID: 3984)

    • Checks supported languages

      • Revised invoice.exe (PID: 3984)
      • RegSvcs.exe (PID: 4032)
      • wmpnscfg.exe (PID: 2032)

    • Reads the computer name

      • RegSvcs.exe (PID: 4032)
      • wmpnscfg.exe (PID: 2032)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 4032)

    • Reads Environment values

      • RegSvcs.exe (PID: 4032)

    • Create files in a temporary directory

      • Revised invoice.exe (PID: 3984)

    • Creates files or folders in the user directory

      • RegSvcs.exe (PID: 4032)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:06 14:09:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581632
InitializedDataSize: 622592
UninitializedDataSize: -
EntryPoint: 0x2800a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.1.6.7
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 8.1.6.7
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start revised invoice.exe no specs #AGENTTESLA regsvcs.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2032"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Users\admin\Desktop\Revised invoice.exe" C:\Users\admin\Desktop\Revised invoice.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
8.1.6.7
Modules
Images
c:\users\admin\desktop\revised invoice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
4032"C:\Users\admin\Desktop\Revised invoice.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Revised invoice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 752
Read events
1 751
Write events
1
Delete events
0

Modification events

(PID) Process:(4032) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:boqXv
Value:
C:\Users\admin\AppData\Roaming\boqXv\boqXv.exe
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3984Revised invoice.exeC:\Users\admin\AppData\Local\Temp\hypopygidiumbinary
MD5:902BA33EB97CB101761D1F2DF6F75089
SHA256:085C04DCB8C744BCB6DEAC8386BBEC4586DAF65F89D11FC587879E66C423532B
3984Revised invoice.exeC:\Users\admin\AppData\Local\Temp\cacostomiatext
MD5:D51BBF5E6FFA09CFCFE69F823B1081ED
SHA256:F30800F9AE56A3F2D0D7F9E142007290EEF1AAAEEA4AD7F4F3932D17D11C2E9D
3984Revised invoice.exeC:\Users\admin\AppData\Local\Temp\aut3CCC.tmpbinary
MD5:902BA33EB97CB101761D1F2DF6F75089
SHA256:085C04DCB8C744BCB6DEAC8386BBEC4586DAF65F89D11FC587879E66C423532B
3984Revised invoice.exeC:\Users\admin\AppData\Local\Temp\aut3CFC.tmpbinary
MD5:BCA15739E8D9D78E1268302982151A35
SHA256:E3405B0B680047A1160E9535CEE76926CEE4103B19A2A8EAEA519D5B002FD22E
4032RegSvcs.exeC:\Users\admin\AppData\Roaming\boqXv\boqXv.exeexecutable
MD5:19855C0DC5BEC9FDF925307C57F9F5FC
SHA256:C09191A1A46B7BFA82E381C5A0CC5FAE83787D63F550A8BD6BEAF33CC5C0C344
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
9

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
4032
RegSvcs.exe
34.174.253.176:587
mail.easternmoversbh.com
GOOGLE-CLOUD-PLATFORM
US
unknown

DNS requests

Domain
IP
Reputation
mail.easternmoversbh.com
  • 34.174.253.176
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
4032
RegSvcs.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
4032
RegSvcs.exe
A Network Trojan was detected
ET MALWARE AgentTesla Exfil Via SMTP
4032
RegSvcs.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Clear Text Password Exfiltration Atempt
4032
RegSvcs.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Clear Text Login Exfiltration Atempt
4032
RegSvcs.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Revised invoice.exe