Extracted

• • Target

    5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe

  • Size

    753KB

  • MD5

    940f9282615409a27cd72e4bf6ba7b3e

  • SHA1

    1307c4ba274a56c9ca4a95c12e7591df8bb0b642

  • SHA256

    5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa

  • SHA512

    0718e929e984a2bdd30f315d597f4a959194b052fe3ef4648baf34a2e07f812f510f8ee1b9dfccf88e6980ecf042406ee074f1c5cdb4942937cb0d01c4db1162

  • SSDEEP

    12288:9e7dDQ2FUPyf6otLns8trlVT/XL1VQC3TBgltTnqkZQSC+wUoO99OGfFinSvdocy:9OdD3GPyf6otLs8trlJ/XLgCdgTWktE3

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables packed with or use KoiVM

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2