Extracted

• • Target

    63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8.exe

  • Size

    761KB

  • MD5

    77c6015c8c679abe8cd11cb51125f6c9

  • SHA1

    f9fd8a7f13b03480ae58622c228d6a6bb660f409

  • SHA256

    63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8

  • SHA512

    510a8a2e2905eebd97bbda9e4cf183392b59aa18f9bb3278fed82fd10721ebc1ad06633992e6f4ee8b4eb64b4d89cf185aeab3b316d041ccb523c0d46110f52a

  • SSDEEP

    12288:YzDn6yWn7fcpVZlu/6uHD73sYw0WJv1/wHiksaGdt8qmUMbpG/IinMkqFozGrCWW:sn698VVYHst0WrTkGrpm4/nMHvv/QO4v

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2