Extracted

Extracted

• • Target

    dIg1H3IegSv8WYB.exe

  • Size

    789KB

  • MD5

    7083b7a10e7b74aea9cf6c6b9dd3fe45

  • SHA1

    e3769b1fa1dbcdef6bc7efe18aa0cf21e9507cd0

  • SHA256

    83688d7b2b5feff8ecf5ab902d206187815d1759858129e85d9b2e2673d935b4

  • SHA512

    f3b174947e2a2369303b7a6478540cdcf7d075781883d55e2f9bc6aa341438be378e7455c27f6562af81bf4c292941b047fd690cada210f43c9574d0b0135229

  • SSDEEP

    6144:9ENaneCZj70XxIQRVA+bIRsli6A7kh9iaqTHMpDaTJM906xm/2qjYXhflK73GVGM:+KQIMnbQKymia4HcDaTJw06IXjGJ7N5

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2