Extracted

• • Target

    NEW ORDER PURCHASE.pif

  • Size

    760KB

  • MD5

    cde7970091a0b3fd19f7f8f3a855b583

  • SHA1

    6c55f16de86b9dc9052c5e2fe2d94ce6d7e79e9e

  • SHA256

    8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9

  • SHA512

    19bd3514fdf5d0ff6b47268795bd13c03401d6adb74553e578b7bf40b1c5219ebb7fd40c9f587ff8cf1f3a1f7d834ac5cb006c66d0374badc7d897033625cdeb

  • SSDEEP

    12288:zU3929BC4rqhpfVIbQMjRq/3ml/bCoygRFg+48MMOI/bxqbyoZ48oLBbl+d/WDwt:zU89BNuhEbQM62UPjZU/lqjY1ZUW8t

  Score

  10^/10

  agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2