Extracted

• • Target

    Petikan segera.08.10.2021.xlxs.exe

  • Size

    498KB

  • MD5

    b6a26b6912def25202d5c5b3a7cef7ef

  • SHA1

    c61a6ca3cf061a2ba382a77d5e697f1dea1e99f2

  • SHA256

    e4c04b184aebbb0c4cd7533d2432c5a3699ea15e3fdebcaeec49edfea97cfcf1

  • SHA512

    754d0f094e3860f5196a041d841ffa7990d1b6a32749dfa5d13920fa13d1956441fb0bea097ee410da84da6d1f67c72a4ecb1e315ca7dc7dd86734e83bdf4f69

  • SSDEEP

    12288:rADyL9pD3+r4m5GEh0AGdu768pSIt/cPU0Xnt0m:0+L7DWY60AB7VpS0/AU03t0m

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoveryevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2