Extracted

Extracted

• • Target

    e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96

  • Size

    37KB

  • MD5

    6de35c22ca3f026a6a645fc9fda40565

  • SHA1

    252a6d49a0d9096e8c48c11d7c9a934681e55f6a

  • SHA256

    e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96

  • SHA512

    b872b0509756ca5e5dc8ce14eb83b6c5eb354093a62702a70caceb8ed0ce9d1fb854a55a99302d1e329635891174a525c14e8b036cc7bb18afab1589d2b29f28

  • SSDEEP

    768:lJH2e8oUg8OALyuki2cDsNNP+vB2ZmwVbMLAVYAS50zhR:PWe8XtTLLZ2cDsNNP+vB2ZmwVbtVY8zz

  Score

  10^/10

  agentteslacollectionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2