Extracted

• • Target

    RFQ#445890_INQDEC2895PROD_Hangzhou Zhongniu_Import_Export Cos.PDF.exe

  • Size

    920KB

  • MD5

    5739503918d2197229995037c57b4cdf

  • SHA1

    e70caa3ea80971d1519188b42295861a7ddccf61

  • SHA256

    5abd7ea82a80349aa1d0444ab05e79366b616cc4adb7a437543e474fd76b0801

  • SHA512

    9d7b98b7587fd83fa139b509c8d6ad53ef2e5b6efa16c653edc80c86a5eb9387419ba1dcd4ea4f94d9547511b2208196505e0e7c97a033643a76d6cf23a4073c

  • SSDEEP

    24576:sNIxTCehtiox6d9ccTW7L9Cidfv4ifeHkOPwaMe7YHehJ:ccTLtii6D7mH4iWHkOPwaMOn

  Score

  10^/10

  agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2