Extracted

Extracted

• • Target

    5986e46fcee6209b7f50804eb4fce6f550ea2cd8b3ce3447069332abc252a692.exe

  • Size

    956KB

  • MD5

    393cb9ce35da39379004c4489dda13bf

  • SHA1

    ae2f70c34cedaaf26f28d12f482ee76ca975a29b

  • SHA256

    5986e46fcee6209b7f50804eb4fce6f550ea2cd8b3ce3447069332abc252a692

  • SHA512

    c2a3a3ddb43d5be2be35692b0b6981603c99392400d75a8883ca5dd688aaf433cbf706fbf3619818bb09576ba9e3244e0e0c3c6a62da35c49c2112e51fc8aca5

  • SSDEEP

    12288:/csCELA+12Hd5lpvS36pDfi/xN3xIZrzfBVzxWWKy5siBjVE4wPLXkYVx5OjuRZ/:0zf/zxWu5zW4wjkTuRZOVFuxztsrG/

  Score

  10^/10

  discoveryexecutionagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2