Extracted

Extracted

• • Target

    PO7804118.exe

  • Size

    893KB

  • MD5

    2137e10273e08d4a7de9cc4b972e8a12

  • SHA1

    736de35693a723137a5237c379450b1201b0a0b2

  • SHA256

    b8fa08e31085513e0ab8b0e0d0f7991c50f391e92f7593e19644ffe9fa8827be

  • SHA512

    715f7f7d97bb7d2c4f35e55cd998d982fa40dffaee2a365705386d5c26489c8ad51b6f5da413538dbafd579f9555d3958448bd654bc1778c880c0f9e5d4cb116

  • SSDEEP

    12288:c/BKYvI8ohK/opCle0WxdXZw55qpNdiTJqOxQschcj3+KkR:WOQosU0I7pyl5xnr+J

  Score

  10^/10

  agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2