Extracted

• • Target

    z12POAB67554RTE_pdf.exe

  • Size

    1.0MB

  • MD5

    de64a1f4de563006010decc3760e98ec

  • SHA1

    00d8799b156be9a0bc2f844f79a04d2897cedda4

  • SHA256

    87d0708f63cbbba7d7213a72baa51da5b383f2f2c73abd2abba0bed42fb08932

  • SHA512

    dc87a8d1deed64db3451ec19f3d4eb2c37ddba872d739cd03cbd8d28fd0bc7a0e817a0411853765ddbe6eeb0aea29143704c2da0bb35383c99ff115fb0915511

  • SSDEEP

    24576:vTbBv5rUPL6KJaLCEMnDovLtrzMa3oIET+bxP/FiVFGk3:ZBwWKJEMDovSa3C+J/c6k3

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2