Extracted

• • Target

    61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826

  • Size

    1.2MB

  • MD5

    2ce48ee21074ae8d6828f50d79e00866

  • SHA1

    2f33630a3f8999d345a7b8391a1ef2a01bd1caaa

  • SHA256

    61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826

  • SHA512

    da43c141dabf296147c094538478319efba2db300fd13f1a80a7005cfa540bf8ec034f72f31000607036c49aafd12f78016e4bf29a84ee65942e6dcdaa3c6381

  • SSDEEP

    12288:w2GnV7AO0avo+SFI6GD1yT5mM+skG1J72a6TMDQmCjKNrU:ZGnV7jaFrRzlL72QN2

  Score

  10^/10

  agentteslarevengeratcredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • RevengeRat Executable

    stealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2