Extracted

• • Target

    882a896400e98b35d36ac7c5c9bdd41a_JaffaCakes118

  • Size

    486KB

  • MD5

    882a896400e98b35d36ac7c5c9bdd41a

  • SHA1

    12a18fe75fc841c2274cff146f4bf4f2ae70aa1d

  • SHA256

    6ebe03dc60018f5d7ca43f37744754c905a5b3102fddd1aa41326423c5e8c383

  • SHA512

    d2be45b4c8f4a23838242e2b4fed471006e27c89435bfc0c384be20b23680f01169d6dddf5455855bbce1e429d3d372d0b2c3edba37f1d0237f82187475cfde5

  • SSDEEP

    12288:K6WHCM2K4ChJ17P//Twny7Wz/4ECeI9zgbQnRQm:KW3CZ/VrVibQKm

  Score

  10^/10

  agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2