Extracted

• • Target

    1c28cccf93bd2b76cbe8f847addfbe78205d569b317277cb2fce736290df2a52.exe

  • Size

    614KB

  • MD5

    2267981265b6f5cacb3c87a96d7ee895

  • SHA1

    d02174c82e0748c2a518e28422328f5e428dfc3f

  • SHA256

    1c28cccf93bd2b76cbe8f847addfbe78205d569b317277cb2fce736290df2a52

  • SHA512

    809e68c544e4e1b1484089653dc47c50a6c0d389a00e5ff78f7367d6b8bfcb350dc73ce6792ba9d908a8e108f9c563ba40e4527c4992a75fccbb564439d0dbab

  • SSDEEP

    12288:7Cb3oNO9EmL5XvABRlY95aQB2b9v93BmNCVM0kJMJVioWmCLwMG9EGqnLdOJRYWq:7CkNgZYYf3IxmNCVM0kMVXsuOGqJOJb

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojanpersistence

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables packed with SmartAssembly

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2