File name:

SOA as at 26th FEB. 2024 - "Account"<accounts3@fardarlogistics.com> - 2024-02-28 0128.eml

Full analysis: https://app.any.run/tasks/dc734fb5-f3f6-4275-9b2c-de795ca210ab
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: February 28, 2024, 18:07:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
spam
stealer
agenttesla
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with CRLF line terminators
MD5:

55EB3E7264E489F88D991577E57185C5

SHA1:

93E9768683A6A41EA14E4DF2768AA4312F5C411C

SHA256:

9C57727C4F0FD1C33820AA9084C8AF553CFCFB71199A2A43F74C5574C8C83D6D

SSDEEP:

24576:iILHUijLL372Tll5AUQSaS04wlRt7NQ+R61g:LJsWWmmkL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • OUTLOOK.EXE (PID: 4804)
      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 6440)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6440)

    • Scans artifacts that could help determine the target

      • RegSvcs.exe (PID: 6440)

    • AGENTTESLA has been detected (SURICATA)

      • RegSvcs.exe (PID: 6440)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 6440)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 6440)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6440)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3024)
      • SOA.PDF.exe (PID: 1020)

    • Executable content was dropped or overwritten

      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Reads the date of Windows installation

      • SOA.PDF.exe (PID: 1020)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 6440)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 6440)

  • INFO

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 4804)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3024)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3024)

    • Manual execution by a user

      • WinRAR.exe (PID: 3024)

    • Reads the computer name

      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Checks supported languages

      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Reads the machine GUID from the registry

      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Checks proxy server information

      • slui.exe (PID: 4552)

    • Reads the software policy settings

      • slui.exe (PID: 4552)

    • Creates files or folders in the user directory

      • SOA.PDF.exe (PID: 1020)
      • RegSvcs.exe (PID: 6440)

    • Create files in a temporary directory

      • SOA.PDF.exe (PID: 1020)

    • Process checks computer location settings

      • SOA.PDF.exe (PID: 1020)

    • Reads Environment values

      • RegSvcs.exe (PID: 6440)

    • Reads Microsoft Office registry keys

      • RegSvcs.exe (PID: 6440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(6440) RegSvcs.exe
Protocolsmtp
Hostmail.unitech-co.com.tr
Port587
Usernamemiray@unitech-co.com.tr
PasswordMm@57650Mm
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs slui.exe winrar.exe soa.pdf.exe schtasks.exe no specs conhost.exe no specs #AGENTTESLA regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.21958\SOA.PDF.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.21958\SOA.PDF.exe
WinRAR.exe
User:
admin
Company:
yet
Integrity Level:
MEDIUM
Description:
ww
Exit code:
0
Version:
3.6.8.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3024.21958\soa.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1776\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SOA.PDF.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4804"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\Downloads\dc734fb5-f3f6-4275-9b2c-de795ca210ab.eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\microsoft office\root\office16\outlookservicing.dll
c:\windows\system32\ole32.dll
5612"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xoOiedqKhWYXR" /XML "C:\Users\admin\AppData\Local\Temp\tmpD09.tmp"C:\Windows\SysWOW64\schtasks.exeSOA.PDF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6440"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
SOA.PDF.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(6440) RegSvcs.exe
Protocolsmtp
Hostmail.unitech-co.com.tr
Port587
Usernamemiray@unitech-co.com.tr
PasswordMm@57650Mm
6564"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "E720B494-3FA6-4762-A810-75EE806EC1B4" "C063BB70-CC99-4AA0-B6D3-7A2CFCD4E397" "4804"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
32 593
Read events
31 320
Write events
1 124
Delete events
149

Modification events

(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E05000000000000000500000000000000
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4804
Operation:writeName:0
Value:
0B0E108C2C1CA94EBC44409897D763BC4E0D0A230046DFB89CE58FCE9AED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C425D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
90DAD708-B605-4845-A6C4-89376D82CD0B
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20230209T1802460432-6544.etl
(PID) Process:(4804) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
3
Suspicious files
14
Text files
8
Unknown types
10

Dropped files

PID
Process
Filename
Type
4804OUTLOOK.EXEC:\USERS\ADMIN\DOCUMENTS\OUTLOOK FILES\OUTLOOK1.PST
MD5:
SHA256:
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:4DEBB2614BCA88C6D70AB50DCFACC8E2
SHA256:02763D237FCC1722A9C180DB3A7851AFD959608DDF4453A9C290C98A18B8EBDC
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DATbinary
MD5:6D4DE3C5917BAA7B9B0C272974B2FD4E
SHA256:EA295E017CCCD7A740EE9B7BFED3CC7C0FBBE82C991C26C051F8B3F549AB2F14
4804OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:E6F9E8C8E78FF82CC1285E1F1C547DFE
SHA256:3F271FA707DB43E63113A4FCED070446595E00DD25CA3A1D517D696C89C1F806
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:53FEEEDEB8D9B8F885864943183EEB46
SHA256:6745A84878B6C176CBC9CC276C30E8902D58110886BEC48DBCED9FFB7B0807C9
4804OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:D651DC463E3A2527EF6C1AD3DC226DAB
SHA256:E5B7CB1C79A1D857063EFE8FA7A4A2BD9E5CB54F9AF4EC4848A75257BACA9BED
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B0F54CCA-77E3-4DFF-9673-48D1751568BAxml
MD5:FC8A173D8E23BEE61F80C57A1591240B
SHA256:443ADDC968C38E6B7F75B28092B7A008C86B775920C5B93A6D9326E44E1BD6A8
4804OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:43E157F235A1E7A3ED39EA2A7EDB6AC8
SHA256:4D48BD47C9071CEAFFD8B0674AE4B1BAA29955B21505D2FE63DE08A9A4713DC7
4804OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:D7FBFAA8E36AFC5D56EEBC7416105C64
SHA256:D9DD59E069FF2A1F5B2FC7668887D1761064A706E1AAF3CA72D5940D7906E4CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
44
DNS requests
22
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5928
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4804
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
binary
471 b
unknown
4804
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
6432
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.01 Kb
unknown
6896
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.01 Kb
unknown
1608
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
1268
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
2464
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5928
svchost.exe
20.190.160.14:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3848
svchost.exe
239.255.255.250:1900
unknown
6896
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4804
OUTLOOK.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
4804
OUTLOOK.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
4804
OUTLOOK.EXE
52.109.76.243:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4804
OUTLOOK.EXE
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4804
OUTLOOK.EXE
2.21.20.142:443
omex.cdn.office.net
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
roaming.officeapps.live.com
  • 52.109.76.243
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
omex.cdn.office.net
  • 2.21.20.142
  • 2.21.20.154
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
nleditor.osi.office.net
  • 52.111.243.43
  • 52.111.243.42
  • 52.111.243.40
  • 52.111.243.41
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.152
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted

Threats

PID
Process
Class
Message
6440
RegSvcs.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SOA as at 26th FEB. 2024 - "Account"<accounts3@fardarlogistics.com> - 2024-02-28 0128.eml