Malware analysis payment confirmation.exe Malicious activity

Add for printing

File name:	payment confirmation.exe
Full analysis:	https://app.any.run/tasks/f1de81b8-8d0f-4c17-b3ef-f770b0412b86
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 18, 2023, 08:53:22
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion agenttesla stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	099521FA325BBE1280463E5B38464301
SHA1:	F09356846B6AA5F0F9E648051765398E17E77107
SHA256:	10D4F54E3353007E0238CDFE1F380F8130B36A9D53915B78CA759561AEF90ECE
SSDEEP:	24576:7CPmmmmmmmm8KYdlVt7AwKwk2QNLameuwshdmW4gzIlquwXb1p4Ce0b:7CPmmmmmmmm8KYdlVt7AwLk2QNLameu5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - payment confirmation.exe (PID: 1744)
- Actions looks like stealing of personal data
  - payment confirmation.exe (PID: 2156)
- Steals credentials from Web Browsers
  - payment confirmation.exe (PID: 2156)
- Connects to the CnC server
  - payment confirmation.exe (PID: 2156)
- AGENTTESLA has been detected (YARA)
  - payment confirmation.exe (PID: 2156)
SUSPICIOUS
- Reads the Internet Settings
  - payment confirmation.exe (PID: 1744)
  - powershell.exe (PID: 2856)
  - payment confirmation.exe (PID: 2156)
- Process uses IPCONFIG to discard the IP address configuration
  - cmd.exe (PID: 3028)
- Base64-obfuscated command line is found
  - payment confirmation.exe (PID: 1744)
- Starts POWERSHELL.EXE for commands execution
  - payment confirmation.exe (PID: 1744)
- Process drops legitimate windows executable
  - payment confirmation.exe (PID: 1744)
- BASE64 encoded PowerShell command has been detected
  - payment confirmation.exe (PID: 1744)
- Process uses IPCONFIG to renew DHCP configuration
  - cmd.exe (PID: 1036)
- Application launched itself
  - payment confirmation.exe (PID: 1744)
- Starts CMD.EXE for commands execution
  - payment confirmation.exe (PID: 1744)
- Checks for external IP
  - payment confirmation.exe (PID: 2156)
- Accesses Microsoft Outlook profiles
  - payment confirmation.exe (PID: 2156)
- Connects to SMTP port
  - payment confirmation.exe (PID: 2156)
INFO
- Checks supported languages
  - payment confirmation.exe (PID: 1744)
  - payment confirmation.exe (PID: 2156)
- Reads the computer name
  - payment confirmation.exe (PID: 1744)
  - payment confirmation.exe (PID: 2156)
- Reads the machine GUID from the registry
  - payment confirmation.exe (PID: 1744)
  - payment confirmation.exe (PID: 2156)
- Creates files or folders in the user directory
  - payment confirmation.exe (PID: 1744)
- Reads Environment values
  - payment confirmation.exe (PID: 2156)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AgentTesla

(PID) Process(2156) payment confirmation.exe

Protocolsmtp

Hostmail.bezzleauto.com

Port25

Usernamepayables@bezzleauto.com

PasswordKene123456789

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:11 17:10:57+01:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	855552
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0xd2d2e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.8.4115.0
ProductVersionNumber:	4.8.4115.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Microsoft .NET Framework 4.8 Setup
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft .NET Framework 4.8 Setup
FileVersion:	4.8.4115.0
InternalName:	Grzjdxvnv.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
LegalTrademarks:	-
OriginalFileName:	Grzjdxvnv.exe
ProductName:	Microsoft .NET Framework 4.8
ProductVersion:	4.8.4115.0
AssemblyVersion:	4.8.4115.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

279

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

976

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1036

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\cmd.exe

—

payment confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1744

"C:\Users\admin\AppData\Local\Temp\payment confirmation.exe"

C:\Users\admin\AppData\Local\Temp\payment confirmation.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Framework 4.8 Setup

Exit code:

Version:

4.8.4115.0

Modules

Images
c:\users\admin\appdata\local\temp\payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

1764

ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IP Configuration Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2156

"C:\Users\admin\AppData\Local\Temp\payment confirmation.exe"

C:\Users\admin\AppData\Local\Temp\payment confirmation.exe

payment confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Framework 4.8 Setup

Exit code:

Version:

4.8.4115.0

Modules

Images
c:\users\admin\appdata\local\temp\payment confirmation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

AgentTesla

(PID) Process(2156) payment confirmation.exe

Protocolsmtp

Hostmail.bezzleauto.com

Port25

Usernamepayables@bezzleauto.com

PasswordKene123456789

2260

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:726278 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2452

"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/

C:\Program Files\Internet Explorer\iexplore.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2620

ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IP Configuration Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2856

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

payment confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

3028

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

—

payment confirmation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

7 675

Read events

7 596

Write events

Delete events

Modification events


(PID) Process:	(1744) payment confirmation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1744) payment confirmation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1744) payment confirmation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1744) payment confirmation.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 5
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value: 91676960
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31049115
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31049165
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2452) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2856	powershell.exe	C:\Users\admin\AppData\Local\Temp\vb3pf3h5.leq.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
1744	payment confirmation.exe	C:\Users\admin\AppData\Roaming\pdf.exe		executable
		MD5:099521FA325BBE1280463E5B38464301	SHA256:10D4F54E3353007E0238CDFE1F380F8130B36A9D53915B78CA759561AEF90ECE
2856	powershell.exe	C:\Users\admin\AppData\Local\Temp\knco0qal.5nr.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
976	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\LNM8POAU.htm		html
		MD5:276BBB20C29087E88DB63899FD8F9129	SHA256:5B61B0C2032B4AA9519D65CC98C6416C12415E02C7FBBAA1BE5121DC75162EDB
976	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\nav_logo229[1].png		image
		MD5:1B12CAB0347F8728AF450FE2457E79C3	SHA256:CA858453CE21CABDF9911C6FA3291AA630DF344244BC183A4D5AE9972E59F675
976	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SRO10HZK.txt		text
		MD5:3DB7BD3D133D5FF9AA77C0DE91913DE4	SHA256:8ABBA9352965531A3A947CAEB82CEE8416A6965F6971CA95539CA7899137EF98
976	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\JXN77DF5.htm		html
		MD5:68CB2BB648EFB05AF19CCA36F2603338	SHA256:CDDBD5D80A552E8DF1044A28B57C38069CD9D416F510729FE5E22C83EBBAC448
976	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\tia[1].png		image
		MD5:201E50D8DD7A30C0A918213686CA43B7	SHA256:C532312EEA8020A0370685B222A02B11BECD58CD394B509029DFF5956127DD81
976	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\FC0ZPZ4C.txt		text
		MD5:A407C7C33CCD40BA99BE095E623DE9A4	SHA256:E267A117144CCD091D61623A8EA4E9B68E4C7D9E57E4CEBA03ECEA5156D59098
976	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TYNEX6ZJ.txt		text
		MD5:5389803BD9F36317802D621F2EDFB52C	SHA256:FA0C6C6A178EB3D405DF9ECFFF82350F55B43571EFDC75588E65D3D0CD13FC66

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2156	payment confirmation.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	text	6 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
976	iexplore.exe	172.217.18.110:443	google.com	GOOGLE	US	whitelisted
976	iexplore.exe	172.217.16.196:443	www.google.com	GOOGLE	US	whitelisted
976	iexplore.exe	172.217.18.3:443	ssl.gstatic.com	GOOGLE	US	whitelisted
976	iexplore.exe	142.250.185.99:443	www.gstatic.com	GOOGLE	US	whitelisted
976	iexplore.exe	172.217.16.206:443	clients1.google.com	GOOGLE	US	whitelisted
2452	iexplore.exe	172.217.16.196:443	www.google.com	GOOGLE	US	whitelisted
976	iexplore.exe	142.250.186.174:443	apis.google.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	172.217.18.110	whitelisted
www.google.com	172.217.16.196	whitelisted
ssl.gstatic.com	172.217.18.3	whitelisted
www.gstatic.com	142.250.185.99	whitelisted
clients1.google.com	172.217.16.206	whitelisted
apis.google.com	142.250.186.174	whitelisted
www.bing.com	104.126.37.171 104.126.37.176 104.126.37.123 104.126.37.186 104.126.37.144 104.126.37.130 104.126.37.131 104.126.37.139 104.126.37.177	whitelisted
api.bing.com	13.107.5.80	whitelisted
ip-api.com	208.95.112.1	shared
mail.bezzleauto.com	45.151.123.240	malicious

Threats

PID	Process	Class	Message
2156	payment confirmation.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2156	payment confirmation.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2156	payment confirmation.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

payment confirmation.exe

099521FA325BBE1280463E5B38464301

F09356846B6AA5F0F9E648051765398E17E77107

10D4F54E3353007E0238CDFE1F380F8130B36A9D53915B78CA759561AEF90ECE

24576:7CPmmmmmmmm8KYdlVt7AwKwk2QNLameuwshdmW4gzIlquwXb1p4Ce0b:7CPmmmmmmmm8KYdlVt7AwLk2QNLameu5

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Connects to the CnC server

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Process uses IPCONFIG to discard the IP address configuration

Base64-obfuscated command line is found

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

BASE64 encoded PowerShell command has been detected

Process uses IPCONFIG to renew DHCP configuration

Application launched itself

Starts CMD.EXE for commands execution

Checks for external IP

Accesses Microsoft Outlook profiles

Connects to SMTP port

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads Environment values

Malware configuration

AgentTesla

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AgentTesla

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings