Extracted

• • Target

    TaliBanStealerInstaller (1).exe

  • Size

    3.5MB

  • MD5

    5850298f6013269a36759882dc81e7e8

  • SHA1

    1a008cbb6de09bb87a4ba2f84ec55870b138bd3a

  • SHA256

    1b294c0b3d277cac6695fc5a3e89f0a151b71233dc56e326cf6adf92a06cda6b

  • SHA512

    26c92d1b4382364060d3acfdc0b322cc9e84c57e6fcf3aa9adde896cd69e8be508c104f94890bb4d9707a06bc7a47a454f7ad1f4700ed493e51511825b1da2da

  • SSDEEP

    98304:ygYQtfcZK0KtZogGCTFQN8FY2X6uzJ4o8:dco09x2ZYOfd4o8

  Score

  10^/10

  agentteslaxwormdefense_evasiondiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  behavioral1