Extracted

• • Target

    SOA.exe

  • Size

    781KB

  • MD5

    4c92026fcad5536d428c973e4762c7ca

  • SHA1

    2821bd1121d2c2ccfd405838596f6961ca4ee3e9

  • SHA256

    d9a53c3e1a9e6447e32fc86fac2b5e76bf3a1e50af3c9f1bf4f6d25e0186840b

  • SHA512

    f98a501b10ffdc8ca54790c723aa63502c3a311e001e6d7b619332aaea99922e29b2227b76780c2631105a4068e4170e6494f01ff364b391e7ce51f630409b57

  • SSDEEP

    12288:CKOlbxr80IO8Df1iSR22mBnbuRno5Rq+wbGqKkpNdRhnoHLBhAGD02k8:H/f1p22Mb6nyRq+wbGqfNzhoHVj9

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2