Extracted

• • Target

    ORDEN DE COMPRA 045190.xlsx

  • Size

    855KB

  • MD5

    66227586a6d1363e22d6e1c10876d5d3

  • SHA1

    a89986704684311eb3b1970e8fca4e497e51ce5b

  • SHA256

    f83628e8db4f7c65ed636e17a1ab69a2b0f14a7e1cf9afca77b682b6d51f8677

  • SHA512

    22bf3f739a72a48f887e8783f9b2345465f27b719736857b08badb1561d24b1d7863692160a4c20aea4ac383b2036fa0c27ad44ae87e8d01bac452e2acb78196

  • SSDEEP

    24576:9mvJDD0Kdb0i0e2zTGlaWAT89esUWb726Wl3z:9mZD0Pi0e2zaEW0cbod

  Score

  10^/10

  agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • AgentTesla payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2