Extracted

• • Target

    Contract Invoice document.exe

  • Size

    700KB

  • MD5

    2d7ed81d34091273b1538759705ac990

  • SHA1

    465b350600a5561ad892e259f81ff2aa065e2b76

  • SHA256

    82ff0a181a498c9a794c085821aeec269122f36c222dfcf31ea39d71d6b4c9f9

  • SHA512

    1d3335f0170b993c6e96e3181937d7f12adb0f12bb2560b20f2c7a29097cb21b9a507a8c2f9e07a4f466f2b115098e37c00866cc8cc807e978072066e5b3be92

  • SSDEEP

    12288:AvV+s1bSQT6tjjdB408SwuqM9Scx/zChU7z0p2XhIK137I5m1OXGI4j5s:AtHRuJoY/ehU30kh37/Au

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2