Extracted

• • Target

    RFQ.exe

  • Size

    628KB

  • MD5

    ba97256b4d080d888e23a8b21cff1081

  • SHA1

    f6043e4da786ee714ab13ca8a04b93ba1ecdec4c

  • SHA256

    2c4f306c8ea0e7b6af8d8637e23a78fffc81d7343d380ea1367653cb1ee2dc0f

  • SHA512

    178a6644261e140a92a140bbab82c2a812de46c5d02fe8fd8ac053ca9a5c25624b69a1ccf7c6cc073afe6b0f52b874d76057533d4fbd0e94c08fbd40f554df7a

  • SSDEEP

    12288:+LYaA+15dRhkoyPfDJpVXwlnf+oAFOEOki/eVsmyP9Bx7vjlFKIdsoYsRXGPlYv4:UU+15dRhIDrVgV2FFOEZw0g5vjyQXoai

  Score

  10^/10

  agentteslaexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2