Extracted

• • Target

    44f706c6348828fd978cbe2fb035450175276e11f75717df19fd513d9116a585

  • Size

    95KB

  • MD5

    89bc6750ff71019eab26fe5284a762df

  • SHA1

    fc3c19e874aa6ce6c035c63bbd50101680cd1ceb

  • SHA256

    44f706c6348828fd978cbe2fb035450175276e11f75717df19fd513d9116a585

  • SHA512

    71134c5b76a9fa69e18d12d8ea028209eae2d5f35fbded393efaaa392ae67341cc228b4e21dc876f050c12211282c1061a48a4351d5a8b16fea9e4a74677cdbb

  • SSDEEP

    1536:XGD5sF8F2tS9mpUPG+vsyKO9+6wg7Dg1DjixS1nb5gHhBP8Okl+jnGUGYebmsYxh:XGD5siwtS9mpYiy5DwjCcb5gBBP8QyRw

  Score

  10^/10

  agenttesladiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Contacts a large (5036) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2