Extracted

Extracted

Extracted

Extracted

• • Target

    PO#2500008_ Jan_2025.Xls.js

  • Size

    955KB

  • MD5

    46585cfdb357b9c32e0aed02376dea2c

  • SHA1

    3525ccecb41582261ba6401d34b56cfdb7ec0d1e

  • SHA256

    b7e9e72922bbafab57989a81d72e1dee75ae384bd975cce8a707417cc1df725a

  • SHA512

    52b9a853aec1268ed4304a3712a50a59d12ae4777eb5108920b7e8518ee6800449597d43a29fc73e33e4e3375c8a9fc99e55c7a47b54bed03aea7ef48e238929

  • SSDEEP

    6144:nj8EnXTkIEmXTSPAKujxQ2ZFnQsa45Z44HQ6YGhz00KY6RRs44lEhc6cgPEtcExS:nwmsGKcdssa474tYR0rGlfcEo

  Score

  10^/10

  strratwshratexecutionpersistencestealertrojanagentteslacollectiondiscoverykeyloggerspyware

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Agenttesla family

    agenttesla

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat

  • Strrat family

    strrat

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Wshrat family

    wshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2