Extracted

Extracted

• • Target

    Approved E-DO PDF.exe

  • Size

    698KB

  • MD5

    ccd1edccbd14c9c0245099ac2920be83

  • SHA1

    77a57f47e0660da5a2a1969392cf0aa962c5eed8

  • SHA256

    56f69825010da76642ee25cf55098c51f6ded6f6fe2718b6c69c1c4b74b57c65

  • SHA512

    af3b651c6cbd0752b001264b0ecbf7f254af2ae832b9d862f99b5fa818f540254c878b7b64d0f422e12029890584094fef73cf56c1ed5aa82dfe1e2fd77a0c47

  • SSDEEP

    12288:JO3/T3/fVrTtK3/y32K4J8wqCfqIP5Otr7VnYixibuRtgiTn+aEoQG527KCHftop:srXVrTtKqmfqClP5OVdY0iqRKuEG52er

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2