Extracted

• • Target

    P02405912916 .xls

  • Size

    307KB

  • MD5

    a0542b78900219b359325abd36386b47

  • SHA1

    d09019d751dc0de0ca3397eb150d6ec6bcf8edff

  • SHA256

    13d02298461e48cb0983570112f5c55d1cfe965fae0b8b320cfac7fde28621a3

  • SHA512

    36eecfe3e8e7533aae5d5fd7e7ace1c6c61b5720abcf5f3ca849155010f1ebf629e98feee0b72bb511d7dd70c6d87a586452cc1cbc64a4405b4247d7e1c2a432

  • SSDEEP

    6144:b0W8bTwBwKs4Dzl7Az6/XgGc9bR3LwLee57eLcqKimkkfb5F:IW8fw2iDz1Az6/G9bR3M15yLtKph

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2