Extracted

• • Target

    P.I.xlsm.bat

  • Size

    3.0MB

  • MD5

    345fd8e60b26a425db12a3b4f03db858

  • SHA1

    b3815d7d301866fbdd472168dc63d88e3bdb93a6

  • SHA256

    84011035b4c05eefeeb6cb35acffb479b26d1c18c8876f3eb881a222c0ee7d49

  • SHA512

    42bba166fb3b1e12c998522a7e622e8894c0efacacbca5e457be4d0fa0559ccfa614e7e547ad3f49f3688a1e93654416ffe3ea9b07d97fa94513d4b7f61e791e

  • SSDEEP

    49152:uVSpD/97Zd7hGxfTyS+HA02ZDMuDzaKoZ0FsCc:V

  Score

  10^/10

  evasionagentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2