Extracted

• • Target

    57b9c02fbb21761c2311e2a4d15f8b92654c63198cbff8ada952bac82c7c99ff.exe

  • Size

    708KB

  • MD5

    4aada6a3437c090cc6eaccff1e2461a8

  • SHA1

    2fa61668df7007b177e53b49f66a4b6402dc198a

  • SHA256

    57b9c02fbb21761c2311e2a4d15f8b92654c63198cbff8ada952bac82c7c99ff

  • SHA512

    13c267ba8c066603646a0a8f3f9e64da9d45780f1721790672e46cac0fa5a6de3bff2ead3ec78be4126ca8ed55d0019889819502f15f20b81d900cc5f3521643

  • SSDEEP

    12288:/xgbES42ZMifA7nGvxt2yiAOp9rLj8JbSUBKN4l3hCDbS3KXUYMjhvPie/rByY7E:/xgQ0An2t2ygXj86CybZUYMFniyyrL

  Score

  10^/10

  agentteslaexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2