Extracted

• • Target

    38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106.exe

  • Size

    920KB

  • MD5

    78eff09f295aa4b3aaf36af5245efe94

  • SHA1

    dea545e8b85f2c1201f7aa3a54f643826ca8a6ed

  • SHA256

    38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106

  • SHA512

    a8b49247156aa7004206f24211054f7f37c73df06e8a85ecf843e9c44cc99a5cf29886e85ba03d89a87a1d3968322c25cdef7877ae6c5efcfa946910204ce67f

  • SSDEEP

    12288:T3TEG/N9AKPGu+MAyn6+6Slh5/2qVe2lR8XaZW4IaBAP7r9r/+ppppppppppppp7:8AnAPRo6+pPOnoR8X2W4JBA1q

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2