Extracted

• • Target

    d49652f293d246529d2102c8e962d85e_JaffaCakes118

  • Size

    410KB

  • MD5

    d49652f293d246529d2102c8e962d85e

  • SHA1

    04e31d28408be9d2963d402f368a880987b3851c

  • SHA256

    5d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc

  • SHA512

    1e1c43fc685549bafc8be9d29f7f97935874b215e7b435d652eedce9c9946bb4370f2e41e3e6476ed0fabd3deaceab02f4f715e5d3475285802b170afee003af

  • SSDEEP

    6144:QsVn8Y/2+3x5spUN1yY0zyZcVFVmPE45Ono0n4ed9PcTJpCvQLF:t58WhWmNEYOypPE450n4ewTJk

  Score

  10^/10

  agenttesladefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • AgentTesla payload

  • System Binary Proxy Execution: InstallUtil

    Abuse InstallUtil to proxy execution of malicious code.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2