Extracted

• • Target

    1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe

  • Size

    1.0MB

  • MD5

    1a5e881a5197cdee0fd2be1af368198a

  • SHA1

    3ff94ebf7ed66aadafa66b28f01f3a4beeadb98c

  • SHA256

    1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2

  • SHA512

    8c75be3273a8d8b1043e3e4e2034cd00a8bb33c404ae2441619e16113b24723159a46a6fce4526ae31040e1bd3ee7368340ad7bbbb2fe4d0c9d15d78fdc4ffb2

  • SSDEEP

    12288:attzg2iNNvemxU2Uy49rF+mu3bk0RqV4Ef3JdselFDnw7Vu:QBg1vxUWcIrk0Rqf3Jd1FLIV

  Score

  10^/10

  agentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3

• • Target

    FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe

  • Size

    883KB

  • MD5

    72c4749f756b5b7341ef425d769d6c74

  • SHA1

    ba3b0faf467c1db173c9aaf37bf69ccb30759ecb

  • SHA256

    a6339dda7fc718e5a77bb3736d1c87e6a8fbc14827525307b3e8f184f02afd48

  • SHA512

    e7b31a35f9d80b4eba17c49f875dfa32d6a6d786bbe3db22de272f6c99eb7aef8d8936d90e82cac7c7da58c34d43fd82a5374544fba5b95c3866287fe642f295

  • SSDEEP

    24576:O1VT1rXpNTgDDQmBMjerErCQtUcCMuy1HzgcK3vJc:OvNTWM4lgAcCMZzgcK3vu

  Score

  10^/10

  agentteslacollectionevasionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral4behavioral5behavioral6

• • Target

    HSBC_Swift_Copy.pdf.exe

  • Size

    1001KB

  • MD5

    ce3718f0a5cd81530496e4724857b0cb

  • SHA1

    17aca36e82674bd55a48684acc4eef6cd02696b1

  • SHA256

    980572025579ff98c1ab84aa8c0c045e075d174bc5bb166e2694590c98f90a54

  • SHA512

    6f30e90a5b9412a24f9513690cfca60c57f2e615604a12ddb7e355bd80894b7f3a37d8242813c76484a258db588c3df25f193a556284c3408d98c92ae814f724

  • SSDEEP

    12288:bZ+2iN1/Sr+pGrnU9xmh873NdbE9QJKQZdF+LHZnbNFphh26mdOAH8c+9epf+mDG:Q1e+gnU9cOrjEw5Zupbxhh26mlH80q

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral7behavioral8behavioral9

• • Target

    Halkbank_Ekstre_20221222_114527_468568.exe

  • Size

    497KB

  • MD5

    447d145276eef872ff7ff17aece82184

  • SHA1

    770464513653a17210806339a7bd5f51a761f355

  • SHA256

    a4e9eafd0bfcb5db60683b2c37e4a113087a656408b96e2795f94af8aecc20b2

  • SHA512

    cfeee165c61a2a62f13611d7cad57c8bdc9ebe441718953394cf3e200398a5ebb71ffaf7cc427981105f65c3e6fe23d021d32713ce70a76c80e9296fb3572fbf

  • SSDEEP

    6144:ckwKLoJOtJrEx6csI6PVmWVc9fXEna+sSJSYRf7P1cZGllQYbT:7LosV0/3WVc98a+bJLf7PeZG7/

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral10behavioral11behavioral12

• • Target

    SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe

  • Size

    1.1MB

  • MD5

    ff463709d7e429065e6efeb1456281a5

  • SHA1

    43821ebc1f3f3e1b7208314747fdf8527263f363

  • SHA256

    6f05a91cd30498cf1bc9b2e0058f1e3caa18b401b77d0a83b71a6df845430716

  • SHA512

    990efaf520e2bfcf2a42b491e67b9266380d966439e132c40ad0eba28ae9ebaf6448bb538128a38e851be6a6660b04451c75138139e1371ac104540564a07dcd

  • SSDEEP

    12288:SNP57i9RD++rs7j5Dytl7B1ljdOtovwGPVp/n2sS4OIvlxd2UIivOmBgdUYt9flG:Xh7XfPCsS41hbjSCC5Gm6oG+/c

  Score

  10^/10

  agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral13behavioral14behavioral15

• • Target

    epTZLp5PyVs2lsz.exe

  • Size

    1.0MB

  • MD5

    e74df11dc99580800c2ab75798fd0e25

  • SHA1

    2b7914bd316d5d22a122d0263acca82e4152532b

  • SHA256

    54080957647575cffb4a2575baac7edf65a4a8d3faac7b133246bae3a1bdb3b9

  • SHA512

    962cf59714314e2f71c9fc45dc9c5940ed678ce25e6a6c33da29f15bc6893e6e0850af25533a6cf067fcfd6d9087de676a710d5a83db18db5f065fe024afe604

  • SSDEEP

    24576:5LZLn1GvvokU/em1X4QaZDQi3/NMSwW8NlK:5tLnU3DU/d9YZDQQNiZzK

  Score

  10^/10

  agentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral16behavioral17behavioral18

• • Target

    f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe

  • Size

    1014KB

  • MD5

    26c27aabc7f503c9c77f004f4b909c2b

  • SHA1

    c01b1e1eb7a532539b8626409eec93c5f7e86243

  • SHA256

    f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc

  • SHA512

    0182a98ab6dfec078f24a20972e42d652f8a8acc2ae707aea63c0b30dea97618843affee13de2e8bc772d9d38efd54dc219c7cdceaf2309482381b165e03259f

  • SSDEEP

    12288:Wd4l68YdxM7KcQF8SYyKQiQGarSYSODjyVKSqmtDUHILYacpf+mDXttarruVBDUt:448888KcM86viiLz8KSqeDUHILY9

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral19behavioral20behavioral21

• • Target

    f2335865a426507b47ecf5e37dcae9a3.exe

  • Size

    860KB

  • MD5

    f2335865a426507b47ecf5e37dcae9a3

  • SHA1

    7ccf56c9c48ffc911ac80ddf5240a42c99f83e33

  • SHA256

    57901cf97d0ab4c57f8b4927c75bd8761182b5ddb80d09bb917aab71ae68d7c6

  • SHA512

    67fd0fb2b872446957c570fb3418ee41363b8b0a6362819c36cef81454acadb2892e31dab2f7760a2f848c92b2b61b8ad5012a6781281f6cb009815c9424e208

  • SSDEEP

    24576:EsFdELpCybniAU6cH80ru/71mnMOrYH1ocO:FFdELpCybniAU6Gu/71mndM1jO

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral22behavioral23behavioral24