Extracted

• • Target

    69c1ef5f4a9e679fe108602e5e6a6b1b865bacfef68adbda17fe66c12263c5dd

  • Size

    1005KB

  • MD5

    4d659ae062c27e18aaf32f4735f65e9d

  • SHA1

    6f9f01253f629da3c49ccc2901887b57eb1bc9c6

  • SHA256

    69c1ef5f4a9e679fe108602e5e6a6b1b865bacfef68adbda17fe66c12263c5dd

  • SHA512

    55f26f40cbc7e89aeb9f26c99d8a3c31f5bb7385316e24277e3d11d46a04175beb1e2c50c24b7765dc2a7f9fb73bec833d8c44ed5dbd89313691623cda9c9542

  • SSDEEP

    24576:1k/1q893EUgNC/rFGRbP5qYO0c+P1eZsr6nnjqKoe:4koUvC/oRPEuZoLjqKoe

  Score

  10^/10

  agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2