Extracted

• • Target

    RFQ#445890_INQDEC2895PROD_Hangzhou Zhongniu_Import_Export Co.exe

  • Size

    923KB

  • MD5

    25277cf15e643825284c3c6c954bf9d8

  • SHA1

    9d52fb5e99e709a3d318743becfefc33d9317016

  • SHA256

    7d3491f8d6165d53723b95e8b794bf457cae9866aa5acee96d380593573c1978

  • SHA512

    18f873744a0568a91f7f4c1a4a18d6014df03726d166acb90098235d7b68ea6db3d9953ef815b42fd7cfe23de71b779b3bf1078584ca759afa1ab9a5c91e94ee

  • SSDEEP

    24576:BNIMPAg98Gwi7iBcTW7L9Cidfv4ifeHkOPwaMe7YHehW:vxAXGwiRmH4iWHkOPwaMOU

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2