Pl_bfrn.rar

Look for new entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run .

Scans for credentials in Outlook, Thunderbird, and FileZilla. Screenshots: Periodically captures the user's screen. PL_BFRn.rar

Targets Chrome, Firefox, and Edge for saved passwords and cookies. Targets Chrome, Firefox, and Edge for saved passwords

Connections to unusual SMTP ports (587, 465) or known malicious IP addresses. Data Theft Capabilities The file is identified as

It creates scheduled tasks or registry keys to ensure it runs every time the computer starts. Data Theft Capabilities

The file is identified as a malicious archive, typically associated with Agent Tesla or Guploader malware campaigns . These files are often distributed via phishing emails disguised as business documents like purchase orders or price lists (hence the "PL" prefix). 🛡️ Technical Summary

The malware often uses "Process Hollowing" to inject code into legitimate Windows processes (like vbc.exe or RegAsm.exe ).