Extracted

• • Target

    f1c4511b233b4db0e962affaef1b5c40857090ae742d86bf7ed81d6e2f0670eb

  • Size

    210KB

  • MD5

    baa04801e19bf9c54632466ba0173b68

  • SHA1

    0c93e65e1842cde8b6eee58981a066413e2b6677

  • SHA256

    f1c4511b233b4db0e962affaef1b5c40857090ae742d86bf7ed81d6e2f0670eb

  • SHA512

    3c97d629e86117976a801a92bc807504854604a4494684b5117d40b7154bc2d602da9940404f01201ab711fa48344c3d79d84fe5741ee5537054aa21a07a33a7

  • SSDEEP

    3072:6knVmI3b0mgfmWu+He9VOv5iG5sVhQ30Wk+70wgA11:6knV4e9VOvp

  Score

  10^/10

  executionagenttesladiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2