Extracted

Extracted

• • Target

    RTGSWBABS240730NEW.lnk

  • Size

    2KB

  • MD5

    82937aae96fa6a40b59703eea97ce1ef

  • SHA1

    d23b17711e2e65609c9973d6f03dde3d2acb3568

  • SHA256

    d820d9f270915fc81bedefd16bf7b8a20cb88a4d1e55d8566b9367fa494ac356

  • SHA512

    f3d66ad7d89da4bd494f173506ced0fe46404a786876e4664658e0db4b8075a18e0579f4bb5319aba9dee9338b1f64782a2b3f1f4d7640187b4dfbc0d3240bc8

  Score

  10^/10

  executionagenttesladiscoverykeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2