Extracted

Extracted

• • Target

    4842cfe7f5fc8b3bcc22b0049e03edc16393e06ea5e486cb5e9ddbe7a21cd624.exe

  • Size

    445KB

  • MD5

    6b63bdc24b2e1162073514f7934a4f9c

  • SHA1

    c879e7e6aae7427d076acb33b55acb788aecddf7

  • SHA256

    4842cfe7f5fc8b3bcc22b0049e03edc16393e06ea5e486cb5e9ddbe7a21cd624

  • SHA512

    dae2cd4f41b7be76f97b1b7238819e019fba7a14eccb5768abe1d180eb0e28f933bd9b5a9fa52abc0119539703f5e453b70e01037d9a55fce9bf101b0df911b9

  • SSDEEP

    6144:NqC56ALcmpQFbVySc2pxkYihgnHcbS48a782EYCLrQjEBtMWc/+TxYyA:KA9WL5c2pEh2gV8axE1wlWmcYyA

  Score

  10^/10

  discoveryexecutionagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Rapses.Arb

  • Size

    51KB

  • MD5

    c7b38eb59906350c5320fba41407d4a7

  • SHA1

    2c6b4eda941d4f23d1d5969fc7cf06e689450de8

  • SHA256

    445c94fa7b8c3f9a7a84bc797ff21109431e9fe512b58d5b4e63581138cb0e61

  • SHA512

    f3c52188a2c107f1011ae156bd94c8d2465c1d767a166049b374f1bec023f0b123b185f280a5e3b8787bca065ae69ea8a2945eb68e88be778c202824d670bc19

  • SSDEEP

    1536:8OVz0fE7uE4vtvko03n0rytHgbzgj0nboBKC480B1gRf:zznQkDEyNcE0MBKCO1mf

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4