=
flash

#NEW ORDER FOR JANUARY 2022.exe

Status: finished
Submission Time: 14.01.2022 05:31:34
Malicious
Trojan
Exploiter
Evader
AgentTesla

Comments

Tags

  • agenttesla
  • exe

Details

  • Analysis ID:
    553020
  • API (Web) ID:
    920542
  • Analysis Started:
    14.01.2022 05:31:36
  • Analysis Finished:
    14.01.2022 05:47:36
  • MD5:
    8b974d65bf7e334d75f57027821ac628
  • SHA1:
    f3ccc2d15a771715e6653d470f955f7095e3cd17
  • SHA256:
    c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
8/43

Domains

Name IP Detection
api.telegram.org
149.154.167.220

URLs

Name Detection
http://127.0.0.1:HTTP/1.1
https://api.ipify.org%GETMozilla/5.0
http://DynDns.comDynDNS
Click to see the 7 hidden entries
http://tempuri.org/
https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocumentdocument-----
http://YsLVkm.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#NEW ORDER FOR JANUARY 2022.exe.log
ASCII text, with CRLF line terminators
#
C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
ASCII text, with CRLF line terminators
#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rnex2ek.lje.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uypqtat.42m.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2nywgzx.vdr.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj0etfuz.zra.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knfqx50j.snp.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knth15sn.2xz.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndedftbp.hio.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pswme1px.15w.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qim5i45f.hre.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrcvsx0a.z50.ps1
very short file (no magic)
#
C:\Users\user\Documents\20220114\PowerShell_transcript.301389.8tzwXQ58.20220114053231.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Cb2iz80h.20220114053303.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220114\PowerShell_transcript.301389.Kmftd8NL.20220114053244.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220114\PowerShell_transcript.301389.TjhCOvM7.20220114053243.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220114\PowerShell_transcript.301389.qPOtysNN.20220114053246.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#