File name:	king.exe
Full analysis:	https://app.any.run/tasks/08d8cda5-123e-434b-af59-981364904a68
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 15, 2025, 10:57:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion stealer agenttesla exfiltration smtp netreactor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:	0763CD65F6B5702458494123E97F2749
SHA1:	655386A271C50570C47D9CE909F10DE1719E3CC6
SHA256:	35AF2E0E56A27587170E0F093D625A6123E49AF4EA8B939C30CCD9FD8E69A2ED
SSDEEP:	24576:bAfTVnahE0m1N7tYFDCNXbIyozZjNrtvdbroLUU8NGq+DzBxFL2nEEMqY4qULTh8:bAfTVnahEjN74DCNXbIyozZjNrtvdbrK

.exe	\|	Win32 Executable Delphi generic (37.4)
.scr	\|	Windows screen saver (34.5)
.exe	\|	Win32 Executable (generic) (11.9)
.exe	\|	Win16/32 Executable Delphi generic (5.4)
.exe	\|	Generic Win/DOS Executable (5.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	354304
InitializedDataSize:	498688
UninitializedDataSize:	-
EntryPoint:	0x57754
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(5472) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(5004) king.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Pyemlwcw
Value: C:\Users\Public\Pyemlwcw.url
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3620) wcwlmeyP.pif	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wcwlmeyP_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
5004	king.exe	C:\Users\Public\PyemlwcwF.cmd		text
		MD5:F82AEB3B12F33250E404DF6EC873DD1D	SHA256:23B7417B47C7EFB96FB7CE395E325DC831AB2EE03EADDA59058D31BDBE9C1EA6
644	extrac32.exe	C:\Users\Public\xkn.pif		executable
		MD5:2E5A8590CF6848968FC23DE3FA1E25F1	SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
5004	king.exe	C:\Users\Public\Libraries\Pyemlwcw		binary
		MD5:D43502D49E5ACEDE223FC0FC3341C787	SHA256:671D6F1F876898AAB5A3B432FE2B23D320584C05BFD8D76C9BCFC5DD24F99AF4
3620	wcwlmeyP.pif	C:\Users\admin\AppData\Roaming\aWUFv\aWUFv.exe		executable
		MD5:22331ABCC9472CC9DC6F37FAF333AA2C	SHA256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
5004	king.exe	C:\Users\Public\Libraries\YKA		text
		MD5:5B464DABF13E3AA70604E6097E6BB30B	SHA256:22154F0969AED4ED804CD7DAD5C7C1764E9641CE698B82D572CB058546A9C2B5
5004	king.exe	C:\Windows \SysWOW64\NETUTILS.dll		executable
		MD5:A88976A70AED45F610A032E438A82A95	SHA256:F3D5A6EBCD8CAB3CC9A98488B23C2DE740C6EF04E33ED317A3E2A047D53D169B
5004	king.exe	C:\Windows \SysWOW64\svchost.pif		executable
		MD5:869640D0A3F838694AB4DFEA9E2F544D	SHA256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
5004	king.exe	C:\Users\Public\Libraries\NEO.cmd		text
		MD5:E24FA8FB365A89779B026772B9342AF3	SHA256:10D7B4EA056FC1037109FE6E6694849D145B0745FAA9AE02957104A2834A14A0
6056	xkn.pif	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_esefqhci.vwp.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5004	king.exe	C:\Users\Public\Libraries\FX.cmd		text
		MD5:7821E3DE3812E791CF3B223500D73BC9	SHA256:3DAA7F9EEE129F61F7A452F7150EE21A1C4141586A37F37842B9C3BB53152A74

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5564	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
5564	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	QA	binary	973 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
—	—	GET	200	172.67.74.152:443	https://api.ipify.org/	US	text	13 b	malicious
3620	wcwlmeyP.pif	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	shared
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	QA	binary	973 b	whitelisted
—	—	GET	200	166.62.27.188:443	https://amazonenviro.com/admin/245_Pyemlwcwdhj	US	text	835 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.23.227.198:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5564	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5564	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5004	king.exe	166.62.27.188:443	amazonenviro.com	AS-26496-GO-DADDY-COM-LLC	SG	unknown

Domain	IP	Reputation
www.bing.com	2.23.227.198 2.23.227.205 2.23.227.221 2.23.227.208 2.23.227.219 2.23.227.220	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
amazonenviro.com	166.62.27.188	unknown
api.ipify.org	172.67.74.152 104.26.12.205 104.26.13.205	shared
ip-api.com	208.95.112.1	shared
techniqueqatar.com	208.91.198.176	malicious
self.events.data.microsoft.com	20.50.80.214	whitelisted

PID	Process	Class	Message
3620	wcwlmeyP.pif	Potential Corporate Privacy Violation	ET POLICY Possible IP Check api.ipify.org
2192	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3620	wcwlmeyP.pif	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3620	wcwlmeyP.pif	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
3620	wcwlmeyP.pif	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
3620	wcwlmeyP.pif	Generic Protocol Command Decode	SURICATA SMTP invalid reply
3620	wcwlmeyP.pif	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
3620	wcwlmeyP.pif	Misc activity	INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)

General Info

king.exe

0763CD65F6B5702458494123E97F2749

655386A271C50570C47D9CE909F10DE1719E3CC6

35AF2E0E56A27587170E0F093D625A6123E49AF4EA8B939C30CCD9FD8E69A2ED

24576:bAfTVnahE0m1N7tYFDCNXbIyozZjNrtvdbroLUU8NGq+DzBxFL2nEEMqY4qULTh8:bAfTVnahEjN74DCNXbIyozZjNrtvdbrK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Starts PowerShell from an unusual location

Changes the autorun value in the registry

Steals credentials from Web Browsers

AGENTTESLA has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Starts CMD.EXE for commands execution

There is functionality for taking screenshot (YARA)

Reads security settings of Internet Explorer

Executing commands from ".cmd" file

Drops a file with a rarely used extension (PIF)

Likely accesses (executes) a file from the Public directory

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts application with an unusual extension

Starts a Microsoft application from unusual location

Runs PING.EXE to delay simulation

Checks Windows Trust Settings

Checks for external IP

Potential Corporate Privacy Violation

Connects to SMTP port

INFO

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Reads the computer name

Checks supported languages

The sample compiled with english language support

The process uses the downloaded file

Process checks Powershell version

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads Environment values

Create files in a temporary directory

Creates files or folders in the user directory

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information