Extracted

• • Target

    CustomInvoice_WaybillDoc_TransprotLabel_78060565761052024.exe

  • Size

    1.1MB

  • MD5

    4bb4e01a5370b516309f202e9ae67065

  • SHA1

    909b4e79ef64bfaaf00c670a329eddff2a013300

  • SHA256

    8b595373f715ca3fdcfb46ad318afa8c3a0bce743c790d572d57787a986f5887

  • SHA512

    70a5ea29b0b66c256abd2d92e6cccf4b14b56f14a92e49fa9e2e14075ee94c8c79d31d9be88310dea42f0f93ddd5d8efad0775af27f3e295605b65ff943f4673

  • SSDEEP

    24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8a4Mf8XMZqXYEQAaSiKpjNQ:bTvC/MTQYxsWR7a4MEMZa/is

  Score

  10^/10

  agentteslazgratkeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect ZGRat V1

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2