Extracted

• • Target

    QU140398.exe

  • Size

    814KB

  • MD5

    2956b5876da3f8bd63627358f39dd5bd

  • SHA1

    c0df48ce532c6b5a7d846f62544d8fb8f1f571f3

  • SHA256

    ae8d1fa58b33e9eddc5fdea9668efb2af4046b6d65d8fc34da8f70953ccd1549

  • SHA512

    6910ebf57121b5c76f27e2e544e548649e9145ceb243fcbd05e8d7692a281755b9c81853b6f24add9e1017a79a9575f4420a4effb2fc06248589a8072bf7f714

  • SSDEEP

    24576:aF8yNK1t4NK1tOqLBxq8l6umA84lWdOGAnkCQ2KfkMLx+:aKhjqR48ddiQ2KfkMLk

  Score

  10^/10

  discoveryexecutionagentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2