Extracted

• • Target

    2b48bf8b6d8366e4f7e6e03e5f799a8a115e06a3321fdab8f2e45cd6dee42d48.exe

  • Size

    1.2MB

  • MD5

    8235a9078656e3e8a8b90657749faa5e

  • SHA1

    77a1d0fa98939af1d551f90981b9793aa2fc8da3

  • SHA256

    2b48bf8b6d8366e4f7e6e03e5f799a8a115e06a3321fdab8f2e45cd6dee42d48

  • SHA512

    18bbf82bb6904739c78426c3e9d7e7a32e8e7908bb92cb10eb1d5360638722d5bd289814bb349b05741d35c4ff43489524504cd777c01050054f272e7078ceac

  • SSDEEP

    24576:xw4bjw4biPl/hJxcpOUR9HsRia5T6yy7UHjR:xw4bjw4biPvSOEsYMOyEq

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2