Extracted

• • Target

    d967ab9c69606d614df05823f3fcb76d436dbda3f1306db4d132acbda8aa8cb5.exe

  • Size

    712KB

  • MD5

    cb557a97949c50fc133f4d58537ddc44

  • SHA1

    b46e14c0325e0b1419e6df97b20803eeb92a55b4

  • SHA256

    d967ab9c69606d614df05823f3fcb76d436dbda3f1306db4d132acbda8aa8cb5

  • SHA512

    91d5abcc7199c36eb89cc1a3536fb0ba633fa96f2743d7461d1b48a37f5e09974f05600b7d50cf8961dfcf414b6025ae4a14c0c500c6d5749d778e3a4650feb6

  • SSDEEP

    12288:zrXYMjhvPie/rByY77777777777774HOE+aEz+dbZjghmi8+NEaIa0lPhcPIuRiU:3YMFniyyVufcbRg/I5PhcwuRiFtq5630

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2