Extracted

• • Target

    e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5

  • Size

    1.7MB

  • MD5

    9091d550f7b9f77815e4ff83881a7447

  • SHA1

    5ad66e47924d2d4d9cc136bbbfac15474ed3ece9

  • SHA256

    e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5

  • SHA512

    3b02d962560158da631ea6dfff34951bf82db42138bac406412d483f3042ba161a203688874b051ee520bd425b6e9be0e053c00ec260b887241d1606da7671c1

  • SSDEEP

    24576:C8Vyk2acyB/PCTz+s3r54xvEGklY6Zj+Ww66htUA2jycJHOpG2lEYYg47qI9KUef:vdcUHC3Avy5A66hmXHOpIY47qI9rC

  Score

  10^/10

  agentteslacollectiondefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Disables service(s)

    evasionexecution

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Turns off Windows Defender SpyNet reporting

    evasion

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • AgentTesla payload

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2