Extracted

• • Target

    03809df7dfacfd37c43744229fa815647220c01f3cef74206454bad065c2ec55

  • Size

    1.1MB

  • MD5

    26e8f1d34499f455df8ff9e71d834afe

  • SHA1

    d519c8b2fc96e7d1c2463b7ba2e801da5d886d25

  • SHA256

    03809df7dfacfd37c43744229fa815647220c01f3cef74206454bad065c2ec55

  • SHA512

    dcf32ea6a8aa0b5875793c76e5d22c28f268f17fc2db5253b2eba2fbbf22ba165ec30788873896ba5fa6891f44ae6f0dc7cfb43b6cd93659bca905eb941fd59b

  • SSDEEP

    24576:Btb20pkaCqT5TBWgNQ7a+cqpsR65qWj6A:SVg5tQ7a+cquw5d5

  Score

  10^/10

  agentteslacollectiondiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2