Extracted

• • Target

    c4ee2ead2c1f1b2b5420280522acaee51469844c29807fd274e2d06f2044c410

  • Size

    9.3MB

  • MD5

    5f566e46a2acc85e1dad153ac1ab7f19

  • SHA1

    b1ba70b980793c7f6389d3779b34f4c51014308a

  • SHA256

    c4ee2ead2c1f1b2b5420280522acaee51469844c29807fd274e2d06f2044c410

  • SHA512

    57b35345bbcb5fd48cd46a5d0e0bd6fa0b5aa34c5964cd77b24f6b52be8dfe0586d35a995e02b3d97f6f3a0289d8241e1d424eae924a6002f389125c7ae27e7b

  • SSDEEP

    196608:oBPYvqBtmaxkFfx79H4q/p4OtxdoVAx9GM2RptVof8VmYV3B0SFqx9KWNj:oBAyBtjxkF8I4OZo6x45ptqEcYV3W2CJ

  Score

  10^/10

  agentteslastormkittyxwormexecutionkeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence
  behavioral1behavioral2