Extracted

• • Target

    nick015.docx

  • Size

    16KB

  • MD5

    916ebc98b5e558d1549670b6daaa69f5

  • SHA1

    143fd3c85c8c4d1582f46e7dd1df66ec55a10662

  • SHA256

    5685ac180e320c50a6c4d70569a15d317f9b03baf71091b84f0915cec512869e

  • SHA512

    9925b9f0b9dd674f0bc781ce20265989a7a94ecde90dc07bb2dfabc985d7069c84a3582a8c3fc9dd0c9585d698531c3253bc652ad88a708b7e3588f256e42ace

  • SSDEEP

    384:3yXkT5jW9Zs8PL8wi4OEwH8TIbE91r2fRJJY+vigkZoCOkp:3ckVYZ5P3DOqnYJHLvVkZoop

  Score

  10^/10

  agentteslaexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2