Extracted

• • Target

    invoice.pdf.exe

  • Size

    841KB

  • MD5

    4e1495585f1982eaf5368d897f9b1985

  • SHA1

    42e38b1a6e8e99e5c227afa2eec7d69a769f9a52

  • SHA256

    cbb385b8529f8c65542da6de1561bac167da44c7de62a3f82407182db4aab8ff

  • SHA512

    8b85444b75ae621907d28f4d9b8155bcf00a977328c395f5e99523f64176fa641970840de773143f43bcf0a82cefb14cfd21feeaef9aa7fca3ce1a44b76e1f59

  • SSDEEP

    12288:7caQxt8JvG8LbgDPwFVt2NjFPAgUhNELNBcYwZeJSL/pJ2bjon6r3ZOHnqYkDo:6qb0wFVMNjehiBBcF4JSFob8n6jEHqC

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2