Extracted

• • Target

    Revised PI.doc

  • Size

    12KB

  • MD5

    4e253e5033611ce12951270da35533ad

  • SHA1

    6b53acb30e886b8c9f28e90ff53da88d5c1b7cc7

  • SHA256

    11cb3310f51dc8a6e4ebce06a520344e39ef3b1eba3244ca5b76a15c9d81aafe

  • SHA512

    ad8d82f869fbe91a12281f0ff13e784633e4e442e6ea06d20026484d813dede0bab777117ffe4c2bd5eb972628417b0845ef8a6649c319a21d8ac0aa2606605d

  • SSDEEP

    192:YweFxa73WKE5AxD3NKMzreoquisPK1AKYKQkVxFLLXm8kxIftZ:O+/1PSHVznWotZ

  Score

  10^/10

  agentteslacollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2