Extracted

• • Target

    b663557fae5b2a3ae36a386d6021faefc5c91d22229b0c8949261b4c1a8c4ee7

  • Size

    706KB

  • MD5

    c2b373e41187c0234d66c81798071343

  • SHA1

    119253344e8626d575af2b89e1f0160239fbb0c0

  • SHA256

    b663557fae5b2a3ae36a386d6021faefc5c91d22229b0c8949261b4c1a8c4ee7

  • SHA512

    c64bbdb786e50e04ef37822bde0190d8bef91dd42f8af6f03fd8098b6e832e04cc02b375ada6f3aee72664e95842ec56d9ccfaf8b4dc3f9639665be4b8fff43b

  • SSDEEP

    12288:Co1z8YRkaZXOYm6WxYx4UEXcW6w8Bj+mhmE/7in3c0++iVZqsFXvch:NsaZXOYpsYO8Bj+mhp8M0+pVZ/FX0h

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2