Extracted

Extracted

• • Target

    3713a53f5b24fd88d75534391e13d6883666805647e7ef4c79f8ab94e9083f4d_NeikiAnalytics

  • Size

    697KB

  • MD5

    9e2e47c1b220b368cbf9720d362fea80

  • SHA1

    c7db8c532ef25249c377c3e22197ca8f3df0f342

  • SHA256

    3713a53f5b24fd88d75534391e13d6883666805647e7ef4c79f8ab94e9083f4d

  • SHA512

    a50ee498115cd55138f4fe834a4e25bec317c03fb9abb3c85f2e5b0c5cc47a132abaa8790bbd87d1c3b3cde326517d2bb31103936855f0f6056940a1d9a09816

  • SSDEEP

    12288:GdrLbDZaNRpm9w2cqnJ6F/i87C82GFgW20BynVg1tXSuJSRZJyP3Oa++ljR2FjJ1:ILDZMRpm9Q/FaO2RT0QWW/weqSjpeZnc

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2