Extracted

• • Target

    ee131e6b57d6b32accb0f82fd5a42ddc65d9030143b177833ddc260b645c2d40.rtf

  • Size

    69KB

  • MD5

    c63cbdfeaddd4e1867b5d9aedf4b77dd

  • SHA1

    3bf4b2aaff1bd05cea30ddee92df5d33abbdd27b

  • SHA256

    ee131e6b57d6b32accb0f82fd5a42ddc65d9030143b177833ddc260b645c2d40

  • SHA512

    1d06683f93b87bad277891e1ffe418b999e355503505a74fe1f4ee69203b7f6b7bae9b6ae3985fed7226773eeac10f20ecbc980337bf0480892b11b2eb135264

  • SSDEEP

    1536:K3PhdfI79nclO824wMeQ/Mwxqum+UI2VOv5RLEC42Qne0+5sMw/KcoGoyeX:w3fIZOO824wMfUwIZ+UI2VE5RLEC42Qq

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2