Extracted

• • Target

    f064387ab391aff2b0d120df58a0a98e269843462aca86076a9cb113885bd2cc.exe

  • Size

    677KB

  • MD5

    16840755455640657de48aa81c0f5247

  • SHA1

    4b64f121ed06741bb1a36f023beb7a10e26d0b27

  • SHA256

    f064387ab391aff2b0d120df58a0a98e269843462aca86076a9cb113885bd2cc

  • SHA512

    ed171d8af700f10e63577297c2626a0de99e0099c2a2c58b45731e0255aa923ac5e0b66dff6df28ffdf05b8b7d4cdc403dc74782f9efa5bda6dfb80b377df38b

  • SSDEEP

    12288:aFIB1oVeon3X8hq7WyqJoZnglXHQAM8vj4sbROgnSu2yqfbXxko7EF:aFqo53Mhq7WyqOnK3QkROGbZqjHi

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables packed with SmartAssembly

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2