Extracted

Extracted

• • Target

    e-dekont_html.exe

  • Size

    610KB

  • MD5

    66e196c15ec46d1e7526b1c48da1b72a

  • SHA1

    f9b2dc950a21c296aaf57a013c3f4e93f8ebbad2

  • SHA256

    8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9

  • SHA512

    f8d8241d5af76033ba83caff888d325285110356b8e35175260a912cf416670465d218d7c550b9f15cc969bc2f53381cb8e41dd4f9a859cae65e4df600b6f851

  • SSDEEP

    12288:yRfHhxVzsP5wzyNwv5gs3MjeNPq0wKrCHrT3GQzRVPUYvV3L2dXEg:yXxU5wzaktc4PEWCHfGQzbPfvFydXEg

  Score

  10^/10

  agentteslaevasionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2