Extracted

• • Target

    bb6455721221afb980661df55c7aa8ae40d04986bb48bb32638c656654955d91

  • Size

    696KB

  • MD5

    942159927d5bc0cb1b02e398584cf1a9

  • SHA1

    ef7a0a018ce8389b5a5e7c5af7a787a5695e3ebe

  • SHA256

    bb6455721221afb980661df55c7aa8ae40d04986bb48bb32638c656654955d91

  • SHA512

    fb4ac3c81e7e1485de6fc48909bfb3dbf54d54067ba95ca6d540cd70a550d2e5e23f5b868afd217e906adaa64eff3994576248bacd1859bd7950cdb0919f2842

  • SSDEEP

    12288:KueH5qZFQVFuC0aWx+LOoDDygLt3YI0Yn5YP7Z+P8nU2fLwHN+JoNcJjgntXyzrL:uqZFQt0n2OozVfH5X8nU2fkHN+u2i5yr

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2