Extracted

• • Target

    065241fa6141590605cf478e95314f4ec999320fab79e52083ac73c9b66ccb8d

  • Size

    656KB

  • MD5

    8d683edd3682ec02d85549592e56ea84

  • SHA1

    da652d5903583e40d3c357773b3c9b2658ad34d5

  • SHA256

    065241fa6141590605cf478e95314f4ec999320fab79e52083ac73c9b66ccb8d

  • SHA512

    5c0f19e4f456dfa4591b07bbbca13a3fd2b987e733c4e5632568b46c006d301e169005b8c3ac028175b00ada01215e9915fba8631fc2e1977744ac59a6fa8f0b

  • SSDEEP

    12288:33HI6MePCtBRkfO5bIbs0RffDLUpDQL3QV73rlnbKw0GjA5AyFG:nHIBt/vELffXdgV73rluw0GjA+y

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2