Extracted

• • Target

    13d02298461e48cb0983570112f5c55d1cfe965fae0b8b320cfac7fde28621a3.xls

  • Size

    307KB

  • MD5

    a0542b78900219b359325abd36386b47

  • SHA1

    d09019d751dc0de0ca3397eb150d6ec6bcf8edff

  • SHA256

    13d02298461e48cb0983570112f5c55d1cfe965fae0b8b320cfac7fde28621a3

  • SHA512

    36eecfe3e8e7533aae5d5fd7e7ace1c6c61b5720abcf5f3ca849155010f1ebf629e98feee0b72bb511d7dd70c6d87a586452cc1cbc64a4405b4247d7e1c2a432

  • SSDEEP

    6144:b0W8bTwBwKs4Dzl7Az6/XgGc9bR3LwLee57eLcqKimkkfb5F:IW8fw2iDz1Az6/G9bR3M15yLtKph

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables packed with or use KoiVM

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2