Extracted

• • Target

    9c184089b39cc4903d262707dd3452e83b1ae1f8da5c6193cd59d7db8e8afa48.exe

  • Size

    25KB

  • MD5

    980fbd96943cfcc23b375865a7c384ef

  • SHA1

    0fa0c58786143ae8b9fb9f186ffb89f6dba1f69d

  • SHA256

    9c184089b39cc4903d262707dd3452e83b1ae1f8da5c6193cd59d7db8e8afa48

  • SHA512

    d88289204118b3017fc390ba63c1d0424d3ccef3bc5d20d2c9256ca93054c97eea9709099335d85b047b8021ef550818c1f9830eff782c71da637cdc470dffa5

  • SSDEEP

    384:5r5lJ0Wtq+c/+xUFD4Gnnrs6HPRdDdrcaU7fYcpKbx1AHM5K1vWcgxxVUJwhbUA/:TlJ0x/+xUFDhrrJbrc5pKfzA1vOxyN

  Score

  10^/10

  agenttesladiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Contacts a large (4985) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2