Extracted

• • Target

    14bf7140553ce01a73ddd0bad30d173a14aa1614ee208b01f7a165969aefdc00_JC.exe

  • Size

    1.1MB

  • MD5

    a00366a3483d1d632223d68c8e6e3f15

  • SHA1

    9d3e8a5526c15408d28ad1af21937020accc5ff2

  • SHA256

    14bf7140553ce01a73ddd0bad30d173a14aa1614ee208b01f7a165969aefdc00

  • SHA512

    8a2579d06efaa4f49e73b50993ddd15728639c3ec73a743939cfcb1e2b46c899386719a0c83aca55891b54d7e639e9099254bc35a4ba1f21f6346934c93a5a24

  • SSDEEP

    24576:6oJkNU2vAuIan9AuMyLSisyKuMYc8u5XMxoZgnb3iPwwxA5MY:6ouFAuB9AuMyLSglMYdCMxoiboU

  Score

  10^/10

  agentteslasnakekeyloggercollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2