Extracted

• • Target

    enquiry.exe

  • Size

    747KB

  • MD5

    46dfa461d0a4845e2ea053c41521b993

  • SHA1

    f133351018473754a29114ef545d20ce595bdda4

  • SHA256

    6d6cb640f6e698a0f25989871716904f7780f4c26cfaf9a824f7fc4feb594f89

  • SHA512

    21f7f4d85e6b8bd811cdfddf6aced9558b087cadbcaa691d0eb95b6259d0f90c854b7bb88bbc04fa5491c1509b1deea17c90984f7e710bcfbbf9dd5bb0b171cc

  • SSDEEP

    12288:k5Ftiw25MuGyAnufZwNvs/4TToRdPCwh0AtkAk9x02whNbx:kxlQVAnuf2NxTipCTAkHwh

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2