Extracted

Extracted

• • Target

    Vessel_Doc_OCN2613132.bat

  • Size

    836KB

  • MD5

    9deac3b107399c40c2cae221953baebf

  • SHA1

    e1c5c291a1a25f6895d206f6b5cce1db999b3f87

  • SHA256

    9ca515b794477e792d95386fb74f8efe7fba769a2a082c5ebb3cc2b7d2460a95

  • SHA512

    343eaead74d70f7096a60ae1c9d25374ef456ae3b271b7f7024b09057b060ed26f0a042be99ba0c0c0225505c9995360bd9a48cdf29176abd3baffa48073d1f0

  • SSDEEP

    24576:CqZKKrVbCx3YN3QzB+aci/9Rvg9uMiv+7Har:sKlCygX1d4e

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2