Extracted

• • Target

    6e3da30b226495f4500bf25723258d452e35cea413cb18fa4ac692cd15f0ed40.exe

  • Size

    550KB

  • MD5

    b86889a778d341f384651c5950f65a47

  • SHA1

    3953603b47411e8c0b3c3906fdfad2dca66aad6b

  • SHA256

    6e3da30b226495f4500bf25723258d452e35cea413cb18fa4ac692cd15f0ed40

  • SHA512

    4e044a5db64940a21825a597e3c45090f06e8e54b1dfcdd2d6e68054c2d1ea4caa6b14d7f99dfef0431e81ed5f587275a21ed54ac0c2b8dcbc84f9daf3fefacb

  • SSDEEP

    6144:jcqPlAc2jHc2j5c2pe0xVO7JpyTaeDLzjFVKIhzcwOBflXEY+2kx+YRtWel2H+j:jcqd+xVO7Jw3FV5zoflXEY+F7D4XXE

  Score

  10^/10

  agentteslacollectionevasionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2