Extracted

• • Target

    freight forwarding.exe

  • Size

    620KB

  • MD5

    6e270eee0b1cc95ce1d2f8854307f280

  • SHA1

    f1054d04e48047d050d5524d308cc94a26f02996

  • SHA256

    2bad3cf2729badd3d5d317b0ca215ba211ebdf12fc903f504ad81cffa22a7b93

  • SHA512

    4fd6b93a55107d034ec024217e942e53bdcf8f0beb75fd50cc305f4feeae71ab19739826fe5c712245b92b3397d265916d4b2aeeccccf9276becb6b5ef7b8cc6

  • SSDEEP

    12288:IHqNSFbamWQQy8Edppn/Tq3AgpBreNdF6jgZJHd3JW97j8KXo9GLV7AiSC3X4:IK0WHyPrpLqhBsdFegZJHd3J87j8

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2