Extracted

• • Target

    shipping documents.exe

  • Size

    663KB

  • MD5

    dd1c0c05fece823d0c57d0c507e9deb2

  • SHA1

    cfad01e0218e8ccc2adf740edc8bc594a0b3cd20

  • SHA256

    ba5b16c28def8e5d0ea0a09bf25b4d980fe89e3537f7034d775ccdf3bd9f5035

  • SHA512

    cd186111b32a33e23a9af82e986415ab45a75176248c5b3c178330fee14824dae5ff9ee2a90c84cb1f481ea22fdc9462f80411e0ffaf5d9080d722c3e7244272

  • SSDEEP

    12288:eFIsPALKLE97fl/JJ1B+7rdVYBbP7NYzDa2HQUphVonpX+Apg1k/oNRKFXlXDtkA:4IK+dlL1BSrdCB9YqhUKKVNRiNLznZ

  Score

  10^/10

  agentteslaexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables packed with SmartAssembly

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2