Extracted

• • Target

    435bd867c8f4dabf459caa550f0cb9366e84928eff48bc1b0ac08075ee376e8d

  • Size

    846KB

  • MD5

    4440a77b32268de37f13f5bd1da47e3f

  • SHA1

    a8597ea43a6b352917dfd9306aed645d40be80e7

  • SHA256

    435bd867c8f4dabf459caa550f0cb9366e84928eff48bc1b0ac08075ee376e8d

  • SHA512

    f35a5be9f6bbfc55a760e395a44e282640943681ac552cc8d85f9cadbd89bf4a2d9eb33b317264069048607b3c06344a58a0d8f4d1f13bf967b93fd300e06e0a

  • SSDEEP

    24576:hxdtw005dokssW7u3SIBV5RKQI5rW6x4HSPP:hxDw0EdjUIvSQIFW66CP

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2