analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe

Full analysis: https://app.any.run/tasks/13c887d5-46a6-4237-b3f7-b9a699e5d3ac
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: July 16, 2024, 14:44:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
agenttesla
stealer
netreactor
smtp
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3221538184F97BA27744F40B2B884BD7

SHA1:

3B3095AD02B23BF93FC7CA78B5131C299A465752

SHA256:

1899FD3E17F6DFA447200D2269B8BE73B663B0AB49B3CFA13594B1588F515AD9

SSDEEP:

49152:e6WNkebmEFhOHGo4uh68QqyxBXSCXPGms1lw3F0YmKDSd0ujsE58Vq84wE8hnHkn:h4kEm2O0uh68QqoBXSCXPGms1lw3F0Y5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe (PID: 3628)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 4372)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 4372)

    • Scans artifacts that could help determine the target

      • RegSvcs.exe (PID: 4372)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 4372)

  • SUSPICIOUS

    • Checks for external IP

      • RegSvcs.exe (PID: 4372)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 4372)

  • INFO

    • Checks supported languages

      • 1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe (PID: 3628)
      • RegSvcs.exe (PID: 4372)

    • Reads mouse settings

      • 1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe (PID: 3628)

    • Reads the computer name

      • RegSvcs.exe (PID: 4372)

    • Create files in a temporary directory

      • 1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe (PID: 3628)

    • Checks proxy server information

      • RegSvcs.exe (PID: 4372)

    • Reads Environment values

      • RegSvcs.exe (PID: 4372)

    • Disables trace logs

      • RegSvcs.exe (PID: 4372)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 4372)

    • .NET Reactor protector has been detected

      • RegSvcs.exe (PID: 4372)

    • Attempt to transmit an email message via SMTP

      • RegSvcs.exe (PID: 4372)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 4372)

    • Reads Microsoft Office registry keys

      • RegSvcs.exe (PID: 4372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2800a
UninitializedDataSize: -
InitializedDataSize: 571904
CodeSize: 581632
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:07:12 20:40:48+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe no specs THREAT regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3628"C:\Users\admin\Desktop\1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe" C:\Users\admin\Desktop\1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
4372"C:\Users\admin\Desktop\1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
1 275
Read events
1 260
Write events
15
Delete events
0

Modification events

(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4372) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
36281899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exeC:\Users\admin\AppData\Local\Temp\aut784.tmpbinary
MD5:D3C55CF48B1513C37201A46D505F81BA
SHA256:4DA29482E4C1B81291487AF8AA98E6B3DF8A977480DDF1E4A5A33F3D3586200C
36281899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exeC:\Users\admin\AppData\Local\Temp\aut7D3.tmpbinary
MD5:547580F7CCB275FC8CE57974D90374E2
SHA256:82A5D10940597962EF02D78C6DB54D36FC448C0BA93DFF5C01BFF2E765E05EB2
36281899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exeC:\Users\admin\AppData\Local\Temp\proximobuccaltext
MD5:AE392235AF5E9D923DA30DCF2D5E4B9A
SHA256:AA2BFE0D404F9DD87DD2746A23579D7FE6121328F36FF2B02FB95F37904E58DF
36281899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exeC:\Users\admin\AppData\Local\Temp\vaccinatorsbinary
MD5:3FF9B4F18CC77ED2A907134DD4DA231C
SHA256:C8DAD706E8A577708C92E596FB88C94F5D48EEE5DB56733B0FDEDF2363C75A8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4372
RegSvcs.exe
GET
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
1928
RUXIMICS.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1928
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2204
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2204
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
20.50.80.209:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2072
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1928
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2204
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1928
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2204
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4372
RegSvcs.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
1928
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
ip-api.com
  • 208.95.112.1
shared
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted
mail.uniform.gr
  • 185.25.23.138
unknown

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4372
RegSvcs.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4372
RegSvcs.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
4372
RegSvcs.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1899fd3e17f6dfa447200d2269b8be73b663b0ab49b3cfa13594b1588f515ad9.exe