Extracted

• • Target

    SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.16483.31457.exe

  • Size

    1.1MB

  • MD5

    1955eb58994139f76ff3ac25eef4a717

  • SHA1

    adaea6ee8e98253f79ee23a6d6e7154d0a44732b

  • SHA256

    31ea4b3caac19e152570c72004d306c5121748aeba67244e6233df2313f16118

  • SHA512

    422af38dbda97222f0a6616a294d51a1fbcf8aa3012e02ffac1a830383a30a467566856131b8f36596ef0435e3bfa7e2e5e75188582e277280fcde25dda0d6c9

  • SSDEEP

    24576:NAHnh+eWsN3skA4RV1Hom2KXMmHaGmqfYtsvxf5:sh+ZkldoPK8YaGFfSk

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2