File name:

Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f

Full analysis: https://app.any.run/tasks/0d1ec64a-fd0c-48c6-9e2b-3d4fe9b0540b
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 12:19:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
agenttesla
ftp
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

2F2EEE86A5FBD07B022ABC9E6A702476

SHA1:

49DFF449327F2874C0303E120E955B39C2F324D1

SHA256:

FDD259D2CFBB8FBC3015F9172EEDB97075424FE7252E541B197A3A8D70F8F69F

SSDEEP:

24576:ux5ztjVWKfchT59U0ahMDgsJbREmcLfwP6ccMglhszuSpm3Kv9kAOrUxAU:05ztjVWUchT59U0ahMDgsJbREmcLfwCi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Steals credentials from Web Browsers

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • AGENTTESLA has been detected (SURICATA)

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • There is functionality for taking screenshot (YARA)

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)
      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • The process creates files with name similar to system file names

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • Application launched itself

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • Reads security settings of Internet Explorer

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Connects to the server without a host name

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Connects to FTP

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Connects to unusual port

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

  • INFO

    • Reads the computer name

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)
      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • The sample compiled with english language support

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • Checks supported languages

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)
      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Create files in a temporary directory

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7420)

    • Checks proxy server information

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)
      • slui.exe (PID: 7936)

    • Disables trace logs

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Reads the machine GUID from the registry

      • Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe (PID: 7788)

    • Reads the software policy settings

      • slui.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:07:25 00:55:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x326a
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.5.0.0
ProductVersionNumber: 2.5.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: caterva conceptualizations manuskriftbearbejdelse
CompanyName: upsheath stemmeplejen
FileDescription: trestemmigt synchronisers electrograving
FileVersion: 2.5.0.0
LegalCopyright: suggestioneredes alterbogens
LegalTrademarks: susurrant bambusmblernes
ProductVersion: 2.5.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe #AGENTTESLA sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7420"C:\Users\admin\Desktop\Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe" C:\Users\admin\Desktop\Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
explorer.exe
User:
admin
Company:
upsheath stemmeplejen
Integrity Level:
MEDIUM
Description:
trestemmigt synchronisers electrograving
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7788"C:\Users\admin\Desktop\Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe" C:\Users\admin\Desktop\Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
User:
admin
Company:
upsheath stemmeplejen
Integrity Level:
MEDIUM
Description:
trestemmigt synchronisers electrograving
Version:
2.5.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 824
Read events
4 598
Write events
226
Delete events
0

Modification events

(PID) Process:(7420) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_CURRENT_USER\sanhedrist\Uninstall\courtezanship\Pingfeng215
Operation:writeName:bohireen
Value:
0
(PID) Process:(7420) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_CURRENT_USER\navlebeskuelsen\udlggerne
Operation:writeName:arbejdsrutinens
Value:
%repertoiret%\asheries.exe
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7788) Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\Diskettestativ.ranbinary
MD5:35A3B9090237E7DB20A40FD2D5CAC07C
SHA256:C9D9CF234B3D4D3F637D1600749F546C0A5CD09014F281920CBDE08A49EA4E78
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\Skillfulnesses.petbinary
MD5:C46E90461397144DAA6DC907D1CD972E
SHA256:AFABA43FC077903502079D78EB9E034D8ABDBD466DB7D7963833AAFAA3DB3108
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\cal.jpgimage
MD5:254C7EDB09308B552EB0791F55B73D85
SHA256:810C00A3F18A98B66251D0929AD9AEFC98869AAFB9E995AC0C6C3D46536C3970
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\coalier.afkbinary
MD5:4111393448DD24C02238CB055F41BC38
SHA256:91A532AA74FD66AAEB5C393BD10F5B54C794A97F57F9841D60CE83E3A2D774D1
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\Carity.Bes41binary
MD5:D7A6896D4C0B0DD6E12287B958AD230D
SHA256:A1575BCCD1EDC1168F2FFBC60615CD573DF52081BF186DB203361C516E4117FC
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\noncome.initext
MD5:CE10B9604EC0AF5451C3B3C97057810A
SHA256:471D5B71F3C466D2C1D902F09E294889BF2D84F07187CD701497342B0545B4FC
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\sydvestlige\dydsmnstrenes\Afstaar\indeksnavnes.txtini
MD5:8FA3FBFD2F88629AB63C456187EA38DA
SHA256:A125840BC60B2E09ADFF4FEB2C351781691F646749782717EC95417A224CA8D7
7420Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exeC:\Users\admin\AppData\Local\Temp\nsn4A74.tmp\System.dllexecutable
MD5:A4DD044BCD94E9B3370CCF095B31F896
SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
25
DNS requests
9
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
GET
200
109.248.144.209:80
http://109.248.144.209/KfBsKJpNLnYLcLA246.bin
unknown
unknown
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
ftp.srv.server-phsperu.net
  • 107.190.139.130
malicious

Threats

PID
Process
Class
Message
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
A Network Trojan was detected
ET MALWARE AgentTesla Exfil via FTP
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7788
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f.exe
Misc activity
INFO [ANY.RUN] FTP server is ready for the new user
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_fdd259d2cfbb8fbc3015f9172eedb97075424fe7252e541b197a3a8d70f8f69f