Extracted

• • Target

    8a2a164482a0142728ab3bbd4559d686_JaffaCakes118

  • Size

    721KB

  • MD5

    8a2a164482a0142728ab3bbd4559d686

  • SHA1

    9db2bbe3fc8a10fd9b5a3c48c8e540c743a1c1f9

  • SHA256

    7693781ca53fb17f4639ca60041799d2efb919301109f65caa16a41e2f96c43a

  • SHA512

    aed8a6978aa3e263d59f2f1e6ba558b5bc238125cbfd602bfca79efd1350943dfceba3a6b9a4c14155a5b923d57009186a7a3f8896e1606bd6f9df3f39c9b4cd

  • SSDEEP

    12288:XcFUncJ54irus265GoqlDX1YH0COI+w7Ror6PpGg+l2K3RYUOsSeysBF4vf9uQ7j:dnYnuRcBIoGblBhP7hF+f9Zn

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojanupxcollectionpersistence

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2