Extracted

• • Target

    PO] G_24370-24396_SI2_S25_8658.exe

  • Size

    2.3MB

  • MD5

    fd1db3d42f8ce22b75ee45b2b2e18075

  • SHA1

    532f70a54fb672faca5fd8fbf3df4b9e33de13c4

  • SHA256

    d5e518efcccc11bc6e29f1c5b89279ce4fdab95913ddab884306cc8ad0f8e7a3

  • SHA512

    1c5bb62f28060c78c633b587a4afeed1ac0c6faead422a94a52463f5a3fb366a5489f2529b829e8d2c2e90859890404be1204bd9a9b2db7c61f46bbfcfd94e7b

  • SSDEEP

    12288:EMha6lvswwPEr52DxsnECFePAYuH5vqUq/gM7aggZM/c8ZiJwmcYS+:FU62LmDwPQvfq/gMOo/c8ZiDHS+

  Score

  10^/10

  agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2