Extracted

• • Target

    E-dekont.exe

  • Size

    878KB

  • MD5

    1349f4cdeeff77f8e18cddb241f3e425

  • SHA1

    f631ca6cb8897a6d052f09df9c278f16088aa25e

  • SHA256

    410ef6d906ba484fc887ccde242ff8f0057fe55c338a7e4dc9d7be4ed94c7f9a

  • SHA512

    3ed9368e40be9803b0f9590d1f67e4dddad886a3551e52915a042a36fa7813d5556e78034d9a6297c9aefef3da5203bc9fb1bb013dd57e09a121f66dc77b82cd

  • SSDEEP

    24576:P7EcmNaAnMM0Xc4H0KZCbhDjoJfMpxXM+u7vR/k4k:wRBfAdZCbtjogxFgRE

  Score

  10^/10

  agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2