Extracted

• • Target

    Halkbank,pdf.exe

  • Size

    639KB

  • MD5

    d91288a26f3bba21b1b1a0370ad76e53

  • SHA1

    4732007644e147cd49b9f04256be558859be3fba

  • SHA256

    3b233c5cc8b85a8020975ed736b93644fdae180f1d6f5190d91a3512e813ba8a

  • SHA512

    fe5e95d982e5b73c29010e97652b6bcc435b90a73659099519ab1d112354416ca9d32bded3ddc475bbb002ecd4e31372bb2388d224e71efe889ca7a599e62f89

  • SSDEEP

    12288:Pcir1S2IoOAc6/5rZGmy4c/uZno/+gwbFYgcPGcJUOO7aSMf5AzKcWBBcKN2O0CK:6/u9o2LFYZnO5qnbkKKk0

  Score

  10^/10

  discoveryexecutionagentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2