Extracted

• • Target

    Request for Quote GE63138XM32.exe

  • Size

    834KB

  • MD5

    102cd04929ffa73b9584a7c6953a8ca5

  • SHA1

    6f7943b1901c44c28bc16483b4187bc8f15f5742

  • SHA256

    3890bc2638beaf831fb3ad49af5442ef5118d70a6d7c25a3fb0b05e47d9e75e6

  • SHA512

    ba7c17f3ddf61bf2a8ba7d2912b2a3b2737616bad21accfa84db8b958ab33a0b3b197a6326c240e8bbc23dfe8f0868bb68a19a20141e50ca9d9da258442e3694

  • SSDEEP

    12288:DeUSST7V67gJFlY5qWHJv/h42L7ukEYIbMpY6vbDOQv/Zlav7klgrdm4Vz0Rppp5:DcM7Y7gJFZWpvq2L7ukEYIWvPT

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2