Extracted

Extracted

• • Target

    faa7829ce9f42c0f66f754bda78ed09257191d44be15b16583e1a2df1eceff64.exe

  • Size

    1005KB

  • MD5

    36c593a2ceb2680510f2094cd6e4010d

  • SHA1

    03f1e81a26c614bcac620bbcd7a90f078e7d6146

  • SHA256

    faa7829ce9f42c0f66f754bda78ed09257191d44be15b16583e1a2df1eceff64

  • SHA512

    0aef0057ec535bb8b892462b9859396ca59531913eeed4385e6680d1930d85fc1cec6ee12802fa3c4c397b2240f63850eba140179c92e3f4ce4a8baf15f1a9ca

  • SSDEEP

    24576:UgD0Xah46clx/flW5y0DGeYongL84sNEQj:UgYXaefsZ3YoY84gjj

  Score

  10^/10

  discoveryexecutionagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Unengrossing/Independable.Ovi

  • Size

    54KB

  • MD5

    9bb7bc97960fef33d8884cdca423c2dd

  • SHA1

    a316731a54a85c2b2c99be377b81196a08c81d7f

  • SHA256

    e03ca6b56a172df4b35a9862314b1c8993d4981923a7bca152b8324931f3b303

  • SHA512

    3b314d83e646b01e5e2506cb9d16101fe8f3f5ae1ee74291fd12ac6be5abb80ebc8c55cd19fd07050962bb4181d16ace9f12d3100f86ca6cf6962faecdef45d8

  • SSDEEP

    1536:h4gmjN3ekb38e9Q4rjWK2kO6qXmBIvNdMhsf6x/u6T:mP17x9QAjZlIm6/MSC

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4