Extracted

Extracted

Extracted

• • Target

    WaveInstaller.exe

  • Size

    76KB

  • MD5

    1b95a7fc10c0b54c7d807d1f7ee2b778

  • SHA1

    75d3a2f1d104b8f4950f59da9e829d61943e3e44

  • SHA256

    d2373e86e03b935c7c24993f2a567a7e9f3b477c460a4c061da4000de493fbd8

  • SHA512

    b225f9052457b5de3728f1f2bf5cf17905de780823ccaa0139e0f559212a05bb177297d950783084cae87f4da217c94d8ad66124f0a3c6946bd5662a43395d4e

  • SSDEEP

    1536:kpn26tWBE8jMMx4yBmEbTb1XyM6lk120w6hO2GRKVJjiS:kpn2FMniTb1IH0w6hOFRKnr

  Score

  10^/10

  agentteslagurcuxwormevasionexecutionkeyloggerratspywarestealertrojanvmprotect

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1