Extracted

Extracted

• • Target

    d46699db75f60d8f4f81626a0c31a1daf18af7fbafd249736001f161c1090f20

  • Size

    12KB

  • MD5

    346aa5104c386e77b15cbfa54e3c0194

  • SHA1

    2b031a997c388d8aace26a96e01ce9d43e95b378

  • SHA256

    d46699db75f60d8f4f81626a0c31a1daf18af7fbafd249736001f161c1090f20

  • SHA512

    ed6a39ac14756eeb2fe1c4c83561c6f6bc2773f921f42579612e7ffb2b668b5810c3491672475f7a3c64c7e64e20fa955bfb2d4931af826337647b86bd5d4dbe

  • SSDEEP

    384:OF49BjVSOHp5e+em+76kyn/VJd+mUM1iJHi6uHZzfH1TdDYlt+PoYzFsRhZJRY1F:9V77du76koVJgC1iJP4VTqla0Jy

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2