File name:

SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe

Full analysis: https://app.any.run/tasks/d4510155-58a9-4c1a-a464-dafa15a7306d
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: May 24, 2025, 17:06:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
agenttesla
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

15CD46C01A0BE43B33D29B8433F00160

SHA1:

28DDAF0E742D6175CB68184F42BD2A751FEB5FE3

SHA256:

63A6AC193381AD88B9EC816284A116BA0712935536DD51CA605D0A7E6636F306

SSDEEP:

24576:NzzKxYE6kSN4N1L5H/PHZfcQ/xlcrp03zqXrKEWur0EV30bhZ:5zKxYE6kSN4N1L5H/PHZfcOxlcrp03z5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AGENTTESLA has been detected (YARA)

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Actions looks like stealing of personal data

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Steals credentials from Web Browsers

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • There is functionality for taking screenshot (YARA)

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)
      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Application launched itself

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • Checks for external IP

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)
      • svchost.exe (PID: 2196)

    • Connects to FTP

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Connects to the server without a host name

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)
      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • The sample compiled with english language support

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • Reads the computer name

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)
      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7476)

    • Checks proxy server information

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)
      • slui.exe (PID: 7936)

    • Disables trace logs

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)

    • Reads the software policy settings

      • slui.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe (PID: 7588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: kiggeren
InternalName: analyseprincipperne.exe
OriginalFileName: analyseprincipperne.exe
ProductName: inexplosive lithotriptor kosystemet
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.evo-gen.5257.13593.exe #AGENTTESLA securiteinfo.com.win32.evo-gen.5257.13593.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7476"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
explorer.exe
User:
admin
Company:
kiggeren
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.evo-gen.5257.13593.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7588"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
User:
admin
Company:
kiggeren
Integrity Level:
MEDIUM
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\securiteinfo.com.win32.evo-gen.5257.13593.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 079
Read events
4 838
Write events
241
Delete events
0

Modification events

(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\trigoniaceous\Etherism\vgtedes
Operation:writeName:naboens
Value:
58ADC7
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
u
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
us
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
use
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user3
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user32
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user32:
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user32::
(PID) Process:(7476) SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeKey:HKEY_CURRENT_USER\SOFTWARE\Locales Approx
Operation:writeName:C Langs
Value:
user32::S
Executable files
1
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\myrtales\Hngepartier.tanbinary
MD5:CE8468BB0B13D1A82E17A39F7DECD237
SHA256:48819DB05229F669D38CF6E27D3155CE93239B980D90541CC939BE7A90AD83C1
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\AppData\Local\Temp\nsmD574.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\myrtales\Afpresningen.initext
MD5:98FA729A6A1667B2AD36FE39BD1724F9
SHA256:6734FBA8AE4215EE960C22CBF12E97A01187EC292C1C73C36E67547787D9972B
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\myrtales\cranemen.strbinary
MD5:D3104CE1BC52E61E4C7E0CAD391C0CE2
SHA256:E1A1A99656E78928655A63013B9BFE3F9BF3A9BEB3EBC1A529313E60A6DED56A
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\myrtales\gasovn.initext
MD5:5B2B1F60DDE0FEAD147C187BBDD8CEA0
SHA256:64A7EB0E1764B648F542DFA32F462D03C1522F2700750D7F4AC9317D7437D2A9
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\myrtales\hudflet.jpgimage
MD5:9087E69A84879B60E56FAAB61E60D79C
SHA256:458F487BEBC668EC26C7D88D14FF1B20356FA8018A2BF0BEB997E74D6DA9A5C5
7476SecuriteInfo.com.Win32.Evo-gen.5257.13593.exeC:\Users\admin\AppData\Local\Temp\Settings.initext
MD5:A6216EF9FBE57B11DEEB1B1FD840C392
SHA256:EDF6C9DA71DAF3B3DA2E89A1BC6B9F4B812F18FC133CF4706A3AE983E4040946
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6456
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
GET
200
107.172.132.31:80
http://107.172.132.31/bGgTrBjL115.bin
unknown
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6456
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6456
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
107.172.132.31:80
AS-COLOCROSSING
US
unknown
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
89.39.83.184:21
ftp.horeca-bucuresti.ro
ROMARG SRL
RO
unknown
7356
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
ftp.horeca-bucuresti.ro
  • 89.39.83.184
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7588
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.Evo-gen.5257.13593.exe