Extracted

Extracted

• • Target

    PO for ART IMPEX GROUP LLP.doc

  • Size

    1.0MB

  • MD5

    35c9dcf7c4a922996d01cd1172e5ee72

  • SHA1

    f04b7261c7209fbca4a6ca7b64d52b24fb0a0bef

  • SHA256

    f415487e104efb2d80000858f7942cd9db73526601066eca5e63d99a50926298

  • SHA512

    7b1c68f5aa7bdfc3df156c4813d70c518adf570bfc82f4cbad72a487949303b988c8f355715d78f2d07c67a1a8ad3c3f86ce10dc1dd0eaf649b1b1a28b767900

  Score

  10^/10

  agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • AgentTesla Payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2