Extracted

• • Target

    31f96affd4d0d656732fc019768584751e08f30e6dce65a3518354011fbc613a

  • Size

    1.4MB

  • MD5

    628ff5429348a077681f2280b12c82da

  • SHA1

    4d49fd955e7f73cb72b30e99f15238f1eed6b87a

  • SHA256

    31f96affd4d0d656732fc019768584751e08f30e6dce65a3518354011fbc613a

  • SHA512

    7c7f575fb599c5ab4bf11544c099389dd023483aae24187e350164cade54de26b6d59a3c591e0a8e717e325c79953b64c9326dd2089820c0d0e0c95ec14644d9

  • SSDEEP

    24576:1g7+2lVqhGYHrhn3722PUrJYy9KELn+r4gsv1RIAhjLoamMiX4lNmZg0YxegPbUY:1g7ZDqhGYHFn3S2MY+n+r4gwjLoyEkmL

  Score

  10^/10

  agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2