Extracted

• • Target

    DSR0987678900000.exe

  • Size

    3.6MB

  • MD5

    780e6f2c7b7d9742a94b9e2da18b58fd

  • SHA1

    275324c7b0b61ddc600df5c690ea35f780114ed8

  • SHA256

    8a5e154d88d238dc9a6970558ffd02bbd00dd786a0e7d51c3cea80badeb78e7e

  • SHA512

    496f488ec5f619991b4ec8fd5bdde987315f1c2d18e5158e44d336569ab5c46cdf1d055d5e17c86afea669e1b6480b4bd73af5f5c403af67e415acecee7e8290

  • SSDEEP

    24576:b1qb6oWgPEfagb8P1Wil/q4GEsYR+xtr8:Ib6/gP/1GEsnr8

  Score

  10^/10

  agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2