Extracted

• • Target

    Paymet.exe

  • Size

    2.5MB

  • MD5

    2fd029782f709559adefb235eedbd093

  • SHA1

    677219bbd0ab70938a2a658b336418df69c9bb15

  • SHA256

    fe03eaf28bc8911f525983a47431e8e4d338a8abc7f2c7833596480ea5eddb02

  • SHA512

    c86032f2060a89e82ee32549612d5004d10d23010f3e7647821bac25a05340a381f7e0355be63d8ff7f8ccd4d26a2605dcda3e114bd3471e2497410f6b7e029d

  • SSDEEP

    12288:fHPEAmDrpKPtlUM7X1dsUxawC66IHn4Ks6axdNFAzE8l1+/bU5G7AOsS7o:fHPHDUujFC66ge5FMRl1dG7eS7o

  Score

  10^/10

  agentteslacredential_accessdiscoveryevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2