Extracted

• • Target

    84225e449f93fe49be50ad0b5233f1666ac856db99b201d1625a0cefbf07b2e4.exe

  • Size

    660KB

  • MD5

    b59fdfa1bc3fab9682efe169673b860b

  • SHA1

    9029a816e934ad5e5545171c0bb4b4594e9dd7aa

  • SHA256

    84225e449f93fe49be50ad0b5233f1666ac856db99b201d1625a0cefbf07b2e4

  • SHA512

    2cc19bb9992e31bc045fc50a5d2bf35a42c3345704d26aa3f0ca139a44250b2dbd601ab6ec7aa0b3cba80d28a16d3ee7b5386a21fc8759f405c77d2f992138f6

  • SSDEEP

    12288:wzNwnqs3y44sAGBqD6iGj1EPoGtaUvNbKMYecJvk5CYxZsFzdZGdrLNhN3b:VnPAGBqD6mbYwtKMWxk5bxZmq3NhN

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2