Extracted

Extracted

• • Target

    XXKPgtA6DfbWnGL.exe

  • Size

    646KB

  • MD5

    a46d48a1136d980de16167a98e4c4f52

  • SHA1

    b43dbaca6a2a5873aa8c55df262166077db80e91

  • SHA256

    5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262

  • SHA512

    818f4df314f166ecd56eab95dce27273ba28044627e39eeff1ab37a61fbd90d002778e04ed41594bd9c8e81d83a899d3818ab60bb6d8df05b3d75b8824f7b93e

  • SSDEEP

    12288:UhoU/s0y65KAkyeC6OWC6dwjGP/UD4NZI5vn5FDePkZOWQNg6cP:Clr3zebw6OGPcDqI5FDePk4WQNgHP

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2