Extracted

• • Target

    d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334.exe

  • Size

    963KB

  • MD5

    4d77d26b50bea6a8755808eb5bec3044

  • SHA1

    19383419c4a21e39c46852059ae240e8ab6cc12f

  • SHA256

    d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334

  • SHA512

    2064f545989e2936dec55a7d894b4dc03aefebc112310e2e9797a130d4625cceb709e3739876b82c90fe236e100f5b31768c73472e53b9835ed8b6be77ecc521

  • SSDEEP

    12288:EjlIpHtMPku+l0CPPPJAhajNglP1FmS+jxSCMz+5vET5TVw/AQgMQ60kzodR67Ls:EjlIhSPd+pTgl1wS+jv56bw2V6+eAF

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2