Extracted

• • Target

    802619753.exe

  • Size

    2.3MB

  • MD5

    1a67c34a424bbd546f27b6b606607b56

  • SHA1

    ea34fe79dc91c9460578079d0a0ccf10b81d4471

  • SHA256

    9674254149fa0d8114eb39a3db7944b817f438569a1663a2fb090f322183a515

  • SHA512

    59aa8ce6823306f2f43c03f5b7a9605664a1005ca76672fa51a7b5b458a009aad45b78389ed622d8e68236e50af2b057336ce8afe8b908a895ef032191661b6c

  • SSDEEP

    24576:fzWRntOL2f9KpPfbwt2ny/v/LtGZsYjot0ybUs0Ij56Pfg+4F3018mtZsCd0x32L:fzI9Kmz0I68mnX19a9EPhr9BIo

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2