Extracted

• • Target

    POYTR56789900.cmd

  • Size

    802KB

  • MD5

    2d0ad7779ec8291f001e3706a427b8ad

  • SHA1

    904e520fbaa11abcd2906b68dfb85ecdb0069e55

  • SHA256

    b3c8caa00c7ffb39c1602051d1f48105e223ee1da817e9b37bfea0f35e629b1b

  • SHA512

    ac4c30e36944ea676ff4543c74f78f99b394d421933437a5202bd084875cc1b180226daf1df8f8f6c08b7c67f3c12bbb4053f6429a8337b1ea825dda32bef80a

  • SSDEEP

    12288:v6Wq4aaE6KwyF5L0Y2D1PqLmHRc3JalaLLW+ITJ3UiEGE3Gt3FoppG/i4BoPLppz:tthEVaPqL2c3rLSTJuWcgpBoP9pz

  Score

  10^/10

  agenttesladiscoverykeyloggerspywarestealertrojanupx

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2