Extracted

• • Target

    smtp12_0_BANK DETAILS.xls

  • Size

    317KB

  • MD5

    ec47b9bbe25cfe2c665dc5b052da8f54

  • SHA1

    2ad3a85770f659e0b30609ccaa0619d2e8c31cde

  • SHA256

    ebbb1734bf79d2057410762e5674ea2630f80c6700c660c6f54b4e9d8e48d332

  • SHA512

    d9c1bfc2af6e2263643675b559283fa207b5e104b43375bddc0487c7789a25b9ff857da90c42c75efa6c2bf07f09a1b0f009264f4b7f3600d0e579fb2fbc1586

  • SSDEEP

    6144:2qunJPRvY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbV6nMIENQBdMgxK5tMZf6:2bJPRy3bV6nMIEN2lxK5WZB3Bk

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2