Extracted

• • Target

    810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63.exe

  • Size

    752KB

  • MD5

    6d59e320844353e2006021b4f44598b9

  • SHA1

    3b41aca9c2823a30611522c424ffb408d850188c

  • SHA256

    810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63

  • SHA512

    b54ca9cc5648cfd9d17d49fa472763577282cf4795324deae8903b9722b1e2e6e78557f94adfd4b429c4f0272d88a062051ab6a2e64ebf4246b0ddc21c2721df

  • SSDEEP

    12288:9Tv+zZK/vEXpwLvrKC5j8BWE4w00q70S/D9tNvk:1vGKHGgvrKX4LV/5tNv

  Score

  10^/10

  agentteslacollectiondiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2