Extracted

• • Target

    ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a.exe

  • Size

    774KB

  • MD5

    bea4d8667895e1b7583db6681f4015c2

  • SHA1

    539e45783a3646fa32c5ad256fda8e7d7decf69d

  • SHA256

    ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a

  • SHA512

    70250c94f648819de84a9a7634232fa8e5841e1331b649b1771eb5fc20dc90014a35757d90e4534f4c41ee4df3e9cc239ffcb598dd1f8ac2a66bcc643a4efa0c

  • SSDEEP

    12288:zI8WET/mr9K+22BEEzFatnomOODVpgOVTp4YjzXGRLHVHpt+eQ2wREzItcYcegm9:5Wtb3BEuYFTp4WIL1HJLmEUtU/myA

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2