Extracted

• • Target

    fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477621.exe

  • Size

    646KB

  • MD5

    e372ae48f6c86c7491a89876df42aa4d

  • SHA1

    04da90d9bf4af0778b27c6f5f8890096ffd7061a

  • SHA256

    fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477621

  • SHA512

    38c15bb091d79f52a5952fa757581b9a3dedcba39effaa81cc6c75739386a8bd0f8c8cb5d8c0be9d54c66dd4d48341360687c8ee0673f31a73476a089991c22d

  • SSDEEP

    12288:YltuKOcMKJ/TI+oeGuL9JaLNvsNP6L/Dm6Vp2qBZznT4OkfG:AOo/c+oeGuROtaPyCU2yZz0OmG

  Score

  10^/10

  agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2