Extracted

• • Target

    fix.exe

  • Size

    73KB

  • MD5

    b7b56d4bc5019b4b679714d2be92bfae

  • SHA1

    2de2e4a0fcbca05d5e404458c5ee97e3ae446588

  • SHA256

    2d10f1ac9b2e5ef7f246f35f39af12fa70054a8eaa7b7c200961241b49468dc5

  • SHA512

    1802eb959489d01ed4c56c5ea1f7729432be21513c2cd4c141cf7491c9741158dc5095247a73c2023dae6b61a93c78d698a7a12f38a4b4004dfccedc7ac43ad3

  • SSDEEP

    1536:wY/jBSSiM/oHseUtR0DVRfgeoOzIbKyLZhb1z0f:w+H1/1tRkWeoOovOf

  Score

  10^/10

  discoveryagentteslaxwormexecutionkeyloggerpersistenceransomwareratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • AgentTesla payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2