Malware analysis 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe Malicious activity

Add for printing

File name:	5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe
Full analysis:	https://app.any.run/tasks/e3571fb0-d56d-4e54-8160-142e87869035
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 07, 2024, 09:00:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer agenttesla exfiltration
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	96C8E0D88340A9054802FE79776567D8
SHA1:	4AE391C4E63A66ABC3E473748AF8095501C64CAF
SHA256:	5DC68C4082F00849A418AA068B15322C9888E2462F517FEF05B6301EAB33C770
SSDEEP:	24576:T0xEHVppJd04DJICZd1GC1PqWVdLdf93YwzFxG2rRgdr4rYUIw:T0xEHlJd04DJICZd1GC1PqWbLdf93Ywh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 3396)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Changes the autorun value in the registry
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- AGENTTESLA has been detected (YARA)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Steals credentials from Web Browsers
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Scans artifacts that could help determine the target
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- AGENTTESLA has been detected (SURICATA)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Actions looks like stealing of personal data
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Connects to the CnC server
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
SUSPICIOUS
- Application launched itself
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 3396)
- Executable content was dropped or overwritten
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Connects to SMTP port
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
INFO
- Reads the computer name
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 3396)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Checks supported languages
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 3396)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Reads the machine GUID from the registry
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 3396)
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Reads Environment values
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Creates files or folders in the user directory
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)
- Reads Microsoft Office registry keys
  - 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe (PID: 5012)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AgentTesla

(PID) Process(5012) 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

Protocolsmtp

Hostmail.adgumrukmusavirligi.com

Port587

Usernamegizemcevik@adgumrukmusavirligi.com

PasswordGizCvk2019!.

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe	\|	Win32 Executable MS Visual C++ (generic) (19.2)
.exe	\|	Win64 Executable (generic) (17)
.scr	\|	Windows screen saver (8)
.dll	\|	Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:05:07 04:38:30+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	716800
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0xb0f9a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	mDpRI.exe
LegalCopyright:
OriginalFileName:	mDpRI.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

126

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2332

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding

C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft OneDriveFile Co-Authoring Executable

Exit code:

Version:

19.043.0304.0013

Modules

Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

3396

"C:\Users\admin\AppData\Local\Temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe"

C:\Users\admin\AppData\Local\Temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5012

"C:\Users\admin\AppData\Local\Temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe"

C:\Users\admin\AppData\Local\Temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

AgentTesla

(PID) Process(5012) 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

Protocolsmtp

Hostmail.adgumrukmusavirligi.com

Port587

Usernamegizemcevik@adgumrukmusavirligi.com

PasswordGizCvk2019!.

Add for printing

Total events

1 482

Read events

1 480

Write events

Delete events

Modification events


(PID) Process:	(5012) 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	skyT
Value: C:\Users\admin\AppData\Roaming\skyT\skyT.exe
(PID) Process:	(5012) 5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:	write	Name:	skyT
Value: 020000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2332	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-07.0901.2332.1.aodl		binary
		MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3	SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
2332	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-07.0901.2332.1.odl		binary
		MD5:500087C60D84F523621968D6C0493898	SHA256:295146E2461C38E1BF4AD4AE80BD7A0CD4C417C221665019404C6E4A3FF0AF5D
5012	5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe	C:\Users\admin\AppData\Roaming\skyT\skyT.exe		executable
		MD5:96C8E0D88340A9054802FE79776567D8	SHA256:5DC68C4082F00849A418AA068B15322C9888E2462F517FEF05B6301EAB33C770

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5940	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
5548	svchost.exe	GET	200	104.84.57.181:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
3700	SIHClient.exe	GET	200	23.34.33.147:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
4680	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
3700	SIHClient.exe	GET	200	23.34.33.147:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
5836	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
5548	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2308	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5548	svchost.exe	104.84.57.181:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4680	SearchApp.exe	2.19.96.25:443	www.bing.com	Akamai International B.V.	DE	unknown
5012	5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe	94.199.206.42:587	mail.adgumrukmusavirligi.com	Aerotek Bilisim Sanayi ve Ticaret AS	TR	unknown
4680	SearchApp.exe	2.19.96.19:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.microsoft.com	104.84.57.181 23.34.33.147	whitelisted
www.bing.com	2.19.96.25 2.19.96.26 2.19.96.19 2.19.96.18 2.19.96.34 2.19.96.11 2.19.96.10 2.19.96.24 2.19.96.16	whitelisted
r.bing.com	2.19.96.19 2.19.96.34 2.19.96.10 2.19.96.16 2.19.96.18 2.19.96.11 2.19.96.26 2.19.96.24 2.19.96.25	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.73 20.190.159.68 20.190.159.64 40.126.31.73 20.190.159.2 40.126.31.69 40.126.31.71 20.190.159.71	whitelisted
mail.adgumrukmusavirligi.com	94.199.206.42	malicious
go.microsoft.com	23.34.44.219	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted

Threats

PID	Process	Class	Message
5012	5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe	A Network Trojan was detected	STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770.exe

96C8E0D88340A9054802FE79776567D8

4AE391C4E63A66ABC3E473748AF8095501C64CAF

5DC68C4082F00849A418AA068B15322C9888E2462F517FEF05B6301EAB33C770

24576:T0xEHVppJd04DJICZd1GC1PqWVdLdf93YwzFxG2rRgdr4rYUIw:T0xEHlJd04DJICZd1GC1PqWbLdf93Ywh

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

AGENTTESLA has been detected (YARA)

Steals credentials from Web Browsers

Scans artifacts that could help determine the target

AGENTTESLA has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Connects to SMTP port

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads Environment values

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Malware configuration

AgentTesla

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AgentTesla

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings