Extracted

• • Target

    invoice CHN1080769.exe

  • Size

    731KB

  • MD5

    81cb8ea8d9b46383fcb2a1a46e8b88bc

  • SHA1

    9eb657a5d0836dbc323fc3c129e133c14f99d7d1

  • SHA256

    fcaaf8296552e9a4bb23f21e2c88801c3783a163626b44b6cef6e17bbde07bf0

  • SHA512

    8620f2376ca0ae293e9eebb8335e2fe63cf420ddfe00de4f0532424e816ced1e64eef314c02f4f74b9cb4f82a86f543dc435dcb92e6ad2d3dad949e5a258c705

  • SSDEEP

    12288:bYWET/mr9KfW+G84wBj5J3MvgHUgwszbpy+uPnO/FdPa4g+m/bb821RMSQkR:bYWtjV+J8oHUgwszc+uPaPnO/bbJJ

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2