Extracted

• • Target

    URGENT REQUEST FOR QUOTATION.exe

  • Size

    775KB

  • MD5

    3fd59a26eb8f645ac1f88e2ec2a3137a

  • SHA1

    eb5135dd863bcfefa4a8e9e2fbd686068d6354e4

  • SHA256

    785b8115d62f971593bacb7ddf5e0f0fa03ad2d3a077b91c88de788ee83f62b9

  • SHA512

    486d81f9f07bd156ad5f1bcf127e4484399f8d43d1a6cfb09919f0971b276477c8bb5e7debd43087739c8c462488804f299017a043916c88ffd2318ecf7559d0

  • SSDEEP

    24576:IWtb3BEXqdGFXcEm5t3bpP0PHBU4Z1ZM3fyD:TZBEqGKEm5HEhT06D

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2