Extracted

• • Target

    invoice.exe

  • Size

    1.1MB

  • MD5

    f683d81b0a64bbd11cf5f21ec12da54c

  • SHA1

    646df1c5b6d45e01e1e042ffe9e46f820ecc5b4c

  • SHA256

    c018bc22c700a8f6e4100b843d3a96b2409d6c215e1062608fd73714236764fd

  • SHA512

    8dc81a8a3df22fdacaf3baa5e8226de0087f9d7a80d9ffd4015b3407e3e534e03027d0b1a5960f25972b995c54ffd52780c9483bdb07cdde17e79a0b3578980c

  • SSDEEP

    24576:PGIGAA2Jim+0u1zHoVXGkQgylZUcHfOVjqdOpd:eGJJhLu1rcGkKd4jqdO

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2