Pl_bfrn.rar

The malware often uses "Process Hollowing" to inject code into legitimate Windows processes (like vbc.exe or RegAsm.exe ).

The user extracts the RAR and runs the hidden executable.

Targets Chrome, Firefox, and Edge for saved passwords and cookies. PL_BFRn.rar

Scans for credentials in Outlook, Thunderbird, and FileZilla. Screenshots: Periodically captures the user's screen.

Email attachments with double extensions (e.g., PL_BFRn.pdf.exe ). 🔍 Behavior Analysis Execution Flow The malware often uses "Process Hollowing" to inject

Stealing credentials, keystrokes, and clipboard data.

Analysis of similar samples (e.g., on ANY.RUN ) reveals the following characteristics: RAR Archive containing an executable (.exe). Malware Family: Agent Tesla (Spyware/Infostealer). PL_BFRn.rar

Look for new entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run .