File name:	ASW.exe
Full analysis:	https://app.any.run/tasks/19446a2a-d86c-4a61-85fd-2998e4e5c0f0
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 13, 2024, 19:44:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion ftp stealer agenttesla exfiltration
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	634121B2AF66DD5433C1155702ABC84C
SHA1:	F3FD2A1800C4272BDF8209FF47E3703A4923E699
SHA256:	499DF614B640E6E6531F32CEB3271D7D661F5256D49F57E9D360A4791D37943F
SSDEEP:	49152:dDX8WT9544og/gLGtsIu/aMxrg5+FGgXJo0NhUfa1ydgf0WuAH/i2Ew07DWc:J5roy8xLrQDV0NIa1L0WuqNdc

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:09:12 19:28:30+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	48
CodeSize:	16282
InitializedDataSize:	69578
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Boulloart
FileDescription:	Boulloart
FileVersion:	1.0.0.0
InternalName:	Sochi.exe
LegalCopyright:	Copyright © Boulloart 2024
LegalTrademarks:	Boulloart
OriginalFileName:	Sochi.exe
ProductName:	Boulloart
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6840) ASW.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
Operation:	write	Name:	Enabled
Value: 0
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7132) RegSvcs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
4820	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ASW.exe_1ea351fb66b7653011c7b380214bb3684a8f3b_dea20013_2a57fff0-5460-4af3-b819-ec50d1b41562\Report.wer		—
		MD5:—	SHA256:—
4820	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\ASW.exe.6840.dmp		—
		MD5:—	SHA256:—
2136	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lcispyzb.2od.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4820	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC125.tmp.dmp		binary
		MD5:604EBFC0834954B3877AA69B70B8A49B	SHA256:0C1EBA60F1F13FCB1D0B85265EA31ED97D143D50DC924625A8BFE9F514FA4C5C
2136	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_or2svwie.1xt.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2136	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:FB2D11567358B0B4AFEFFE03EE0DF163	SHA256:8BC305431CF56D48D72A4577FA72F413CB38F3B8F84C78D98749C8BD03F21919
4820	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2EC.tmp.xml		xml
		MD5:33ECADE06C105ED3E551ED1F13D21A03	SHA256:CBC7FC5700F0FE95EAF507CC70245F3501A0B3547FA4521DB185D8FC07C3838D
4820	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2CC.tmp.WERInternalMetadata.xml		xml
		MD5:7C86E490E1702D5ADDA149B9A675B76F	SHA256:1669F5353A8A310FB5527FA60BE0C6E4A36007256D355DAEE3D7084BB0F47D02

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	23.32.97.216:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7132	RegSvcs.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2400	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6420	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	23.32.97.216:80	www.microsoft.com	AKAMAI-AS	SE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2400	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4820	WerFault.exe	20.189.173.22:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7132	RegSvcs.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	shared
7132	RegSvcs.exe	173.254.31.34:21	ftp.fosna.net	UNIFIEDLAYER-AS-1	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.185.206	whitelisted
www.microsoft.com	23.32.97.216	whitelisted
watson.events.data.microsoft.com	20.189.173.22	whitelisted
ip-api.com	208.95.112.1	shared
ftp.fosna.net	173.254.31.34	unknown

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7132	RegSvcs.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
7132	RegSvcs.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
7132	RegSvcs.exe	Misc activity	INFO [ANY.RUN] FTP protocol command for uploading a file
7132	RegSvcs.exe	A Network Trojan was detected	ET MALWARE AgentTesla Exfil via FTP
7132	RegSvcs.exe	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7132	RegSvcs.exe	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7132	RegSvcs.exe	Misc activity	INFO [ANY.RUN] FTP server is ready for the new user

General Info

ASW.exe

634121B2AF66DD5433C1155702ABC84C

F3FD2A1800C4272BDF8209FF47E3703A4923E699

499DF614B640E6E6531F32CEB3271D7D661F5256D49F57E9D360A4791D37943F

49152:dDX8WT9544og/gLGtsIu/aMxrg5+FGgXJo0NhUfa1ydgf0WuAH/i2Ew07DWc:J5roy8xLrQDV0NIa1L0WuqNdc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Connects to the CnC server

AGENTTESLA has been detected (SURICATA)

Stealers network behavior

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Read disk information to detect sandboxing environments

The process checks if it is being run in the virtual environment

Reads the date of Windows installation

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Checks for external IP

Connects to FTP

Connects to unusual port

Executes application which crashes

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

The process uses the downloaded file

Reads the machine GUID from the registry

Process checks computer location settings

Disables trace logs

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings