Extracted

• • Target

    7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec

  • Size

    742KB

  • MD5

    1d0892c12a2e69230e60d6f195a0d211

  • SHA1

    d02c13991e6d40047e6323e8f21743f9e6ab7bf9

  • SHA256

    7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec

  • SHA512

    593208a2e0b7962af62c393fed71634e651c6920c4f6e604fbc208c735c60266702aeebd727e35cd63044240f3417f10a3b5b740cf0330f71c001e9cc370852d

  • SSDEEP

    12288:fvPRL8Vyke763nEh7vqBdA0PCTem/8++s3fT5+9xBd9acP:F8Vyk2acyB/PCTz+s3r54x7P

  Score

  10^/10

  agentteslacollectiondefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Turns off Windows Defender SpyNet reporting

    evasion

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • AgentTesla payload

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2