Extracted

• • Target

    ZAMOWIEN.EXE.exe

  • Size

    426KB

  • MD5

    76c9f492fb7a8f80ec783e727b9cd83d

  • SHA1

    d29380e856c2855296bfbdc14de2aef98bf90c3d

  • SHA256

    ac5ace4225e767aa30c1a5d950826c2545887e07027bdba89f653583ca65441d

  • SHA512

    927cec7b1d2a3414e58ff973aff0525cc79375e118449c9b3f62c0d02d82fe4c2e9d8a6ce446caf17ebc48674b377492be8845abcfaa7e597b3c32750783e393

  • SSDEEP

    6144:NqC56ALcmpQFbVySc2pXKJv4Bsn4z6XCWtB/DWfFcCrESnJCd6DRptmr1QHPVTgo:KA9WL5c2pXK+yn4K/uSoESnXl+ZQOE

  Score

  10^/10

  discoveryexecutionagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Stenklver219.Int

  • Size

    52KB

  • MD5

    78082e39dd451e1d5043bcd0d5a72b8e

  • SHA1

    ae870a41f8b0585cacd05d5c6651e83460092325

  • SHA256

    2f554bddfe10ada0fc5106bced02c8fc45e910848688146287d3423ef094a58f

  • SHA512

    8780e10971c1179d341e7f4bfd0089e9586cb05048a75196fbf1a09ec8f48f80ecce8e10b5e5546b311e48bf0c2b2a9e9c481050bfae184f8dfbd7eb5ee984e8

  • SSDEEP

    1536:D+e7Lz+gJMhdGvU91sV6KlRDGzjWqK3f61:SECx+y1swKlcWqAfw

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4