Extracted

• • Target

    e3a3e5be785395199b671c799bf7d1ee4535f7781e1917632c66cc0484024912.exe

  • Size

    2.6MB

  • MD5

    5cb85bce4496008098d3d9b82c7ced7f

  • SHA1

    5a3166d9e5a27b89adaf2d2669696b3c330b9c47

  • SHA256

    e3a3e5be785395199b671c799bf7d1ee4535f7781e1917632c66cc0484024912

  • SHA512

    a77efa5419c7cb750833218b3512fcc9e121e76667befd109b8837ef19e7818bbe62767b5f221479d7de0c37897f0fd34be97098c5787fab39c7e7aa7cee9fcc

  • SSDEEP

    12288:KP7r9r/+ppppppppppppppppppppppppppppp0GMVOLiZedZ/0dt9geW/iwJZxV2:K1qMK0EctKeVqfVxtXWmI/7khqw/hK

  Score

  10^/10

  agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2