Extracted

• • Target

    INV&PL.bat

  • Size

    712KB

  • MD5

    29b205cd02c55e9b8d3ec086afbc2634

  • SHA1

    343fd19060246ab81cf8868b3a7cdb71e4889ce8

  • SHA256

    1ccd4bde08beabbb7628115eea1f098e0c32fbc468d410a3474e530824aea835

  • SHA512

    f4335b7122c2fff906bac72783c39b942bb5cd04a5ecdc8f5ab2a5bd0dd1d16698cabaddb6ba01daa71687f5bbf59f60647b59bb9c1f4d063d14dab6a11aa81f

  • SSDEEP

    12288:lTfYMjhvPie/rByY7777777777777N6yrfgl/dnmiIzdbYceaK/mRZ8twZEaCc+9:ZYMFniyyqr4d6dbYnaPxEatGpl4TUX

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2