File name:	ebb7fec4ddd5764b944028ca32c453346d00503fffc5f09d60e40d31e8de80a3
Full analysis:	https://app.any.run/tasks/e4350931-c432-441a-a7ba-780bea857037
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 04:33:24
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec purecrypter netreactor evasion auto-startup ultravnc rmm-tool stealer agenttesla
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	37B14C53735862A063E6A82CCACA42E3
SHA1:	9C09EC38963FDFC093A1E4DCFA02A3B1D73EBD16
SHA256:	EBB7FEC4DDD5764B944028CA32C453346D00503FFFC5F09D60E40D31E8DE80A3
SSDEEP:	49152:CNX9/6v83gJgyMZ15es9R0K41pahEEHy/KLku8IB5ez5r72vmmo5DhzGkSR+5FJF:6XEv83lyMPjR0Kcpahku8aY+W557+6rF

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:04:29 08:24:02
ZipCRC:	0x60649e59
ZipCompressedSize:	1172268
ZipUncompressedSize:	1255936
ZipFileName:	Order V548780.exe


(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\ebb7fec4ddd5764b944028ca32c453346d00503fffc5f09d60e40d31e8de80a3.zip
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5680) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6872) Order V548780.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6872) Order V548780.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tmfix1qn.toa.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pvz0pgpl.1kq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6872	Order V548780.exe	C:\Users\admin\AppData\Roaming\main.exe		executable
		MD5:912C123891A7D463E1EA75B86E54F947	SHA256:51EB3B1C63AEC8D2DFD4A8D3B1032567D81FF493B2DFE5166C35A50E05EBCB06
5680	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR5680.8177\ebb7fec4ddd5764b944028ca32c453346d00503fffc5f09d60e40d31e8de80a3.zip\Order V548780.exe		executable
		MD5:912C123891A7D463E1EA75B86E54F947	SHA256:51EB3B1C63AEC8D2DFD4A8D3B1032567D81FF493B2DFE5166C35A50E05EBCB06
5680	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR5680.8177\Rar$Scan58203.bat		text
		MD5:736744647BE3D6D559B3F0E4EB320646	SHA256:842530B95383BE2D7DDA6CC8FF2FEF49FEB5734F8FE8D8BA7B65C31DBEA36B65
6872	Order V548780.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs		text
		MD5:712510D093BA2A822DE52C8020555089	SHA256:51B8A04FC1C9B67BEFEA5C840EE8956EC411F9E8945505C75D18B32585955E49
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kagkumtn.vv1.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
208	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		binary
		MD5:3DCE268ACE375AA641ABE20956FD0C78	SHA256:F499326831954C76559CD2BCF8B99C5AD62D3C53D81CCC6376F6336A14362717
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1csrqnhs.w45.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5324	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:44735E0648830E139F526594EF5343D7	SHA256:C2C362784066CB138CB6772BFEDC20C3C66F991F6EA1D4612916EB2592A49205

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6404	RUXIMICS.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6404	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.74.152:443	https://api.ipify.org/	unknown	text	12 b	malicious
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	104.26.12.205:443	https://api.ipify.org/	unknown	text	12 b	malicious
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6404	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6404	RUXIMICS.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6404	RUXIMICS.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
812	InstallUtil.exe	104.26.13.205:443	api.ipify.org	CLOUDFLARENET	US	shared
812	InstallUtil.exe	46.175.148.58:25	mail.iaa-airferight.com	Serverius Holding B.V.	NL	malicious
4920	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6576	InstallUtil.exe	104.26.13.205:443	api.ipify.org	CLOUDFLARENET	US	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
api.ipify.org	104.26.13.205 172.67.74.152 104.26.12.205	shared
mail.iaa-airferight.com	46.175.148.58	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
812	InstallUtil.exe	Potential Corporate Privacy Violation	ET INFO Possible IP Check api.ipify.org
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
812	InstallUtil.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
—	—	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
6576	InstallUtil.exe	Potential Corporate Privacy Violation	ET INFO Possible IP Check api.ipify.org
6576	InstallUtil.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)

General Info

ebb7fec4ddd5764b944028ca32c453346d00503fffc5f09d60e40d31e8de80a3

37B14C53735862A063E6A82CCACA42E3

9C09EC38963FDFC093A1E4DCFA02A3B1D73EBD16

EBB7FEC4DDD5764B944028CA32C453346D00503FFFC5F09D60E40D31E8DE80A3

49152:CNX9/6v83gJgyMZ15es9R0K41pahEEHy/KLku8IB5ez5r72vmmo5DhzGkSR+5FJF:6XEv83lyMPjR0Kcpahku8aY+W557+6rF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

PURECRYPTER has been detected (YARA)

Create files in the Startup directory

Actions looks like stealing of personal data

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Process uses IPCONFIG to discard the IP address configuration

Starts CMD.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Reads security settings of Internet Explorer

Base64-obfuscated command line is found

Executable content was dropped or overwritten

Checks for external IP

Runs shell command (SCRIPT)

Potential Corporate Privacy Violation

Connects to SMTP port

Process uses IPCONFIG to renew DHCP configuration

Executing commands from a ".bat" file

INFO

Manual execution by a user

Reads the computer name

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

.NET Reactor protector has been detected

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Auto-launch of the file from Startup directory

Creates files or folders in the user directory

Disables trace logs

Reads the software policy settings

Checks proxy server information

ULTRAVNC has been detected

Executable content was dropped or overwritten

Create files in a temporary directory

Malware configuration

AgentTesla

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

AgentTesla

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information