Extracted

• • Target

    001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta

  • Size

    5KB

  • MD5

    3ef5759d457c58dc4c8c9b6c15aca5fe

  • SHA1

    be35dffec6716bfe6ece66f7e140b8df97d5b994

  • SHA256

    17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32

  • SHA512

    c6b8c4452b774cd782b75891048ca0aacf1ffd0af55536e0d3a7643b6821b46004225b47bc4fbc81fd95c5f6f6aa0eb6dc34f659d0654b29a05b521c431b45e8

  • SSDEEP

    96:buOGiiV+5y/gkgBONHwBB9HaXa3U+1hTIbtu7ZEhtNsim57V+ICgCtUfkX:ypD/gkgywP9HaKk+rTIBeuhtNN2CLtUY

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2