Extracted

• • Target

    Quotation Sample_398893.xlsx

  • Size

    1.0MB

  • MD5

    1fa0c01f5ce39c3040b272cc0178b526

  • SHA1

    7dcc0072cda211e5af3e025335398691736f7c7d

  • SHA256

    b33d9e331c5b5e6a463d3be8b0456156459983fa4889009e9ba23e355f8548e5

  • SHA512

    2c686ad61500d70ebeeddc04b26bcb6301877960c2dd03fcc4f82dc8344607ee04b33cf06ab9e63e160393a407a5385991cac5ccbfe5d35b6535705bb075bc49

  • SSDEEP

    24576:DsP8ORmk0aZyMRIithugFmoXo0Jf4rkL7cd1AQIRL:DW8ORlZdthugFD4rPLA9

  Score

  10^/10

  agentteslacollectiondiscoveryexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2