File name:	2025-05-16_c3db75af2d770b98ed82463612f3be24_agent-tesla_amadey_black-basta_cobalt-strike
Full analysis:	https://app.any.run/tasks/7aa0beb6-bacb-4e80-95a1-c9e26d8eec1f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 17:49:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit auto-startup stealer purehvnc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	C3DB75AF2D770B98ED82463612F3BE24
SHA1:	6D50E6D8F2DA601BBA5C5D558E9670696B6DE1E4
SHA256:	47FB48DB920C1BD0CD19BADB6B6FBCBD0E15AE8E6EDE1AC475573B8779EE8C63
SSDEEP:	24576:Sp+/4UURxUruRrax70p5O9Qx+aAm0vYRO8t76Y:SE/XUraxm5O9QMal0QRO8t76

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:05:15 17:27:43+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.16
CodeSize:	734208
InitializedDataSize:	285696
UninitializedDataSize:	-
EntryPoint:	0x2549c
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode

PID	Process	Filename		Type
7400	powershell.exe	C:\Users\Public\Guard.exe		executable
		MD5:18CE19B57F43CE0A5AF149C96AECC685	SHA256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
7400	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:E6ABDCDCA57EB6DFF5A88A2A5D0F0469	SHA256:A42AEBB1B85F2D1725377921673E447212C359733B093C035964B92963C568C0
7628	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bfh3g2fd.fxk.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7380	2025-05-16_c3db75af2d770b98ed82463612f3be24_agent-tesla_amadey_black-basta_cobalt-strike.exe	C:\Users\Public\PublicProfile.ps1		text
		MD5:D88ED08A04E63CAA8E4D8D629FAFE119	SHA256:800F111DCCD1F0E1EACFCE9BD4DF61D4C66987D1CF7217145EC7FB535E7759A6
7896	Guard.exe	C:\Users\admin\AppData\Local\WordGenius Technologies\SwiftWrite.js		text
		MD5:0A555AD3783645DFA1C2B00668144C96	SHA256:A8D89AE8B181E0F7DA2C9B66BB8F1210FD65B481DBFD86720DBD531729801380
7628	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xwwykwvx.lb0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7896	Guard.exe	C:\Users\Public\jsc.exe		executable
		MD5:319F58BC07CB7AA8C5ADCD75BF0AAF8F	SHA256:9415E66A36AB70C6998ACB4AB5FAD63C4D18B9949B8EE02B2EBC8F3B07FEF6B1
7628	powershell.exe	C:\Users\Public\Secure.au3		text
		MD5:19C269FDDB3147E9209BCA8BB3C8E6FB	SHA256:C362FDD9A34DBCF32C846B97FCE73AEA775E6F119E1D57506DE895A2233AF183
7896	Guard.exe	C:\Users\admin\AppData\Local\WordGenius Technologies\SwiftWrite.pif		executable
		MD5:18CE19B57F43CE0A5AF149C96AECC685	SHA256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
7400	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3wzcctlb.p0y.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.2.82:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	2.16.2.82:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	2.16.2.82:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7928	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	2.16.2.82:80	crl.microsoft.com	Akamai International B.V.	CZ	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7400	powershell.exe	104.21.28.186:443	xcvbsfq32e42313.xyz	CLOUDFLARENET	—	unknown
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	2.16.2.82 2.16.2.24	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
login.live.com	40.126.32.68 40.126.32.140 20.190.160.4 20.190.160.131 40.126.32.136 20.190.160.17 40.126.32.133 20.190.160.3	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
xcvbsfq32e42313.xyz	104.21.28.186 172.67.147.76	unknown
nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs	—	unknown
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET HUNTING Request to .XYZ Domain with Minimal Headers

General Info

2025-05-16_c3db75af2d770b98ed82463612f3be24_agent-tesla_amadey_black-basta_cobalt-strike

C3DB75AF2D770B98ED82463612F3BE24

6D50E6D8F2DA601BBA5C5D558E9670696B6DE1E4

47FB48DB920C1BD0CD19BADB6B6FBCBD0E15AE8E6EDE1AC475573B8779EE8C63

24576:Sp+/4UURxUruRrax70p5O9Qx+aAm0vYRO8t76Y:SE/XUraxm5O9QMal0QRO8t76

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Downloads the requested resource (POWERSHELL)

Create files in the Startup directory

PUREHVNC has been detected (YARA)

SUSPICIOUS

Likely accesses (executes) a file from the Public directory

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

The process executes Powershell scripts

Starts the AutoIt3 executable file

Uses sleep to delay execution (POWERSHELL)

Drops a file with a rarely used extension (PIF)

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Connects to unusual port

Multiple wallet extension IDs have been found

INFO

Reads mouse settings

The sample compiled with english language support

Checks supported languages

Disables trace logs

Checks proxy server information

Manual execution by a user

Creates files or folders in the user directory

Reads the computer name

Auto-launch of the file from Startup directory

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections