Extracted

• • Target

    PO#4502288712.exe

  • Size

    1.5MB

  • MD5

    813b425453f7dfea626aa389f639aa4d

  • SHA1

    d4b70a0235288476c18be713e7763b35bbe726af

  • SHA256

    1cc991649d6186d487d5ff01fe3d0dee7c9383d5c3b43d814ea353e5d82c7372

  • SHA512

    8ff65b9e8713aff085459015e946184d08cc984fdf6db4cab94e4df63b5d306450dc2ddc872aa8480e03136dfb968e7b2a04815c02d232a38b5418bd782cf24f

  • SSDEEP

    24576:df343jiBIhZZBsNOHVj9tTA8yBq6u2SVoTsh7SenmQob43zMksGJM6oi+1q+:mUIhZZBsNOHVj9n49PTg7brKezBheU+

  Score

  10^/10

  discoveryagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Drops startup file

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2