Extracted

• • Target

    DHLINVOICENo.65419085.bat.exe

  • Size

    698KB

  • MD5

    855f1a1abe6968620eaf674aca181503

  • SHA1

    9f4ade766a0a5104827366a4cc3a2154022e15f6

  • SHA256

    d2e20ee2ab3762e6f5da9158b09d6f112028c122a3c309accb2045ff1dfdce99

  • SHA512

    1a0e1db801a6819d7867f8b7828061b2ff8abe1b013b6fbac77cb4c605659a366bb39edd3df4eebeb1ee9e8fe8a7ce09841a6226a7ab8cd5fcef3b6db5412ef9

  • SSDEEP

    12288:P+Silza1B2rn9jfnkpEXyb6mpUvuqgfqj16x32/tLAFWT5pC:WSilza1B2rNCyPmhfqwUZpTC

  Score

  10^/10

  agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2