Extracted

• • Target

    3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534

  • Size

    553KB

  • MD5

    9696450d184ac26fbebff14339311e0e

  • SHA1

    7f39f6b5ba8f9874242b4d821bd13c1b8d45544c

  • SHA256

    3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534

  • SHA512

    9d3801148e2c938e0cf90de06aca6493d34b377b143e6941daac77955b4e48cc88be254058a93029aef31771f2be30942750fb93f397d84c7f23c790ae64adce

  • SSDEEP

    6144:CpY5xwJSajAqUCkOCqxxx4NJn/omgtqBtLX6WkSM:JcSa4Bqt4NJ/omgcHX6VP

  Score

  10^/10

  discoveryagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2