Extracted

• • Target

    e5afe41ef86e36756bc8294b18dd889f3c43b7c706e97cfbcf35127a5327023e

  • Size

    1023KB

  • MD5

    864d13c20ea2a45d221d6b9d1ecab738

  • SHA1

    92605619a9748c2dbb0e534d9b75144047bec8ad

  • SHA256

    e5afe41ef86e36756bc8294b18dd889f3c43b7c706e97cfbcf35127a5327023e

  • SHA512

    6f922577ec8d3b0243f51cc2af4c1595e20c41e339936fa6fa4bdbbeac33116806fb60954d6003e2346aa20faa3d6fc29462e3a106dc0b98872f68e9144c5135

  • SSDEEP

    24576:w71cHx+KPCBgV4GEM1zqCN5oWnGStiOY:eKHk6CiC0lN5oOhti

  Score

  10^/10

  agentteslaexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2