Extracted

• • Target

    Swift Advice 75,608$ USD.xls

  • Size

    279KB

  • MD5

    b806f1868f3144102f73f43868d8b031

  • SHA1

    cc98fcdd285bb0f935a0593776f6c6182faf7044

  • SHA256

    36828e8ba8e39939e864288010d554c1a098a89f414b5ad8b52e97169122630a

  • SHA512

    90acc08125ca194c70286fba432f5145e8bead5abb8cff700ac2c5bb954966d3daa29d04a24e91b20000382e60bf5fe5d854e97e366d2cf692f76acf9cb0868b

  • SSDEEP

    6144:3qFzL5LIT47HmPWNBjZpXIoVvneEJ28+B3f1S6D+Hx605p:3qFzu4LmPU/rdeo28+Bt7L8p

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2