Extracted

Extracted

• • Target

    31bdc1cbcf58dae297131e9f07035d6d33211744187d60ba9272a7bf4c602b42.exe

  • Size

    935KB

  • MD5

    1e3c53cab7ec31c5d5bb2fd4c84ae556

  • SHA1

    6901f5ddae3e440786ede838f2f67e578d89f74f

  • SHA256

    31bdc1cbcf58dae297131e9f07035d6d33211744187d60ba9272a7bf4c602b42

  • SHA512

    685d4b6900462fd498f60e6ea6f602b6555e1d6c07d4f85cc290d57132df8ba6f3308e7b8f5d1b8f40fa19d549fe15e59be73f4de538c3e79354156752b68a82

  • SSDEEP

    12288:XkZRz8UfY179W/gDcr+2yhqCGWnuG1wgeYOhlmdkzb:UZRzTY17qgDcr+2yhqCxnu87v4h

  Score

  10^/10

  agentteslaexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2