Extracted

Extracted

• • Target

    Purchase Order.exe

  • Size

    449KB

  • MD5

    4c5885a4ccdb6afc0d49453311ecc363

  • SHA1

    e894fd7a1797ae83df5f3df8cc7f326455b5622f

  • SHA256

    5c336599791ce2459fd0fbb6e6acb618be490f62b4136f476d108c59b383e79e

  • SHA512

    0daa6fa9c494f1a0260ccf65eb002f07cfc1973b08922651ffba296edd74fee7c6314bfb133dc58313cf030c42b19cd26d6340b7d4c04f529777d001799e49df

  Score

  10^/10

  agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla Payload

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2