Extracted

• • Target

    1f2c15231eafbca1fb5a99d5abb83254ac352a60aee2ad1b0c9b5a3ec79c5a39.exe

  • Size

    1.2MB

  • MD5

    719c383a8fada83f805b51239a2aa783

  • SHA1

    0893fcf8a3a27f38b416b0c56ac88f96556262f5

  • SHA256

    1f2c15231eafbca1fb5a99d5abb83254ac352a60aee2ad1b0c9b5a3ec79c5a39

  • SHA512

    90771d390455cfd394ff93bdad99515ac400ef918fcd3215ea19f5d06b79927117d87d34f7845d1f937fd71246441c1b43f4b056131bf13764dfe38479cd6133

  • SSDEEP

    24576:VDenzYxgITPxj/Xtk1YGm56Td53/Pdbgn06bbC9:9ezsPj/XomI5vPdbAbm

  Score

  10^/10

  discoverypersistenceagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2