Extracted

• • Target

    1016470de70ad474db747b45ead6fad652e488bc6c696a5ffc67b436596f6daa

  • Size

    5KB

  • MD5

    7c38c243d130cc60ad287a098193d3d8

  • SHA1

    f2200655f1acf9f00ef9f68c88060b35e0c8fc71

  • SHA256

    1016470de70ad474db747b45ead6fad652e488bc6c696a5ffc67b436596f6daa

  • SHA512

    c7f46c06d9358de5a3d161d3cc3eb6d03176d9f1ed937b5bfd928879082f1176cfb980e9956ab0d8bf646175b049bbc0f35db1a3f8455f8cf1d3715d9441ec92

  • SSDEEP

    96:v7FM4bb4pV7YV+8Ll8hplZhGsQurl8hMPhLhjSsQPhoEDFS8ZDfZt6AOX6Bfd+nC:aLu1lQpl/p/lQM5VREa8dBt6Ad4gpP

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2