Extracted

• • Target

    PAYMENT_ERROR.doc

  • Size

    79KB

  • MD5

    cdcd0d063bffaab68a216c729f44acfa

  • SHA1

    49cb0211c0b6f7fe3138c0851f38780dc4f1b8b7

  • SHA256

    00cd6d29e61425391c4bc712d76d5856c7d1ab3c406996d443456160d3efe3d4

  • SHA512

    cdb5d41b60c0a50e5aa103844b1bd617c81676531a5cc309e3da4fdb24831c4655fad3de884c19900739d141d9e1cb858cf38155e729f3c110a78f1c3f5e689a

  • SSDEEP

    768:MwAbZSibMX9gRWjOa7LV6q6ynK9Vg8IA+aTDsCeEPktPBguYU:MwAlRALMjynK9Vm3jEctPB3

  Score

  10^/10

  agentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2