Extracted

• • Target

    PURCHASE ORDER-6350-2024.exe

  • Size

    614KB

  • MD5

    e25b8037dca1fdb8e69cb26bd1cb4f17

  • SHA1

    5a05ef1979ba60a139cb987e7ab3abf1115acba8

  • SHA256

    42db38678ebdd31dbcab40014ff3b96a8b263f77e8484901226defbdfbb8eba6

  • SHA512

    24e783563daf3595dc341c080103976c1a9303f1e7a40418581e5abbb88ace04c341217c7d165e6f36fccd2800108efe454fb6a7acca127a1f8de8b0e2b7f4c1

  • SSDEEP

    12288:UnCgemEOtMBeSoLZTglM5L/O9PVRcVyZIPaCby:qlEj2LZd0tSVjby

  Score

  10^/10

  agentteslacollectiondiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2