Extracted

• • Target

    eeb42a7de4e8a6099fd91f5f6fbea62b8c5990b3fa0efe054e61904d023e8965.exe

  • Size

    765KB

  • MD5

    a120a32f95b04048e4c35b5c2fa36fde

  • SHA1

    4d6e2d8d982a40d812891f8923f590babd30bf45

  • SHA256

    eeb42a7de4e8a6099fd91f5f6fbea62b8c5990b3fa0efe054e61904d023e8965

  • SHA512

    85aed661acfbad525132812f12b3eaa2138fc8741c44b184dde6af4239f80ef63f927254c5cc5e8fdaa514b9fa5f585ada2567bb61b902af77e5e0f1ecde133a

  • SSDEEP

    12288:aTI03sW/XDRTKVrxt4PqMT3w9ccWKCmCPqGH7PA61m7tPoz2J4BwGATV5Rx9yn9B:OI8sWNmrtqbw9gKCsGHzA61m7NkwGAZp

  Score

  10^/10

  agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2