Extracted

• • Target

    c484d1c87ed6f1dcbaef5883c6d44064ce6e2d17968540f9ae84ae060a74d920.exe

  • Size

    808KB

  • MD5

    c7dd1d7ee7b2e89221b5cd16eb69de47

  • SHA1

    16d9dc689be349a7a9323ef1d24bede5d5f26a4e

  • SHA256

    c484d1c87ed6f1dcbaef5883c6d44064ce6e2d17968540f9ae84ae060a74d920

  • SHA512

    b320649b9bd6c625e292225ca4e9db97bb4ccde58934ecba8c5d8697d86fd789b757756c21a0a14e34da0ca1ca836d222d7e32031c51b8ae5d103280b2fc058d

  • SSDEEP

    12288:mC/1PokorxT+56zE7gka2qdTC+c3SRkDA2T4j5rKuudmEe/:vFammbB1m39DnA5rFEe/

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2