Extracted

• • Target

    317af2651095721e59720d85d6a20a92fd87f832abfe15102f6d9d1fb7b89582

  • Size

    779KB

  • MD5

    7953fe80b5eab508f78887b5daeb2f3e

  • SHA1

    fb02a3a84b6f37a6bbb8e12ec340ce89b2685846

  • SHA256

    317af2651095721e59720d85d6a20a92fd87f832abfe15102f6d9d1fb7b89582

  • SHA512

    63361cf921783c62f3e10de8e44d59820236ab9efc6b7e075c17369f5113f0db37f74574d75e5ec8fa2976181e4782bf95db4709112f1e7db47d41dbdedd12f9

  • SSDEEP

    24576:SHtHXyoXNCuVUWyIK8e01xdCbFyUB0ji213ftMO8SVU:SHtHXyoXNKPxG1xky93URx

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2