Extracted

Extracted

• • Target

    0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118

  • Size

    1.3MB

  • MD5

    0535d61c633b6dac3e59ec955c2ed86b

  • SHA1

    92441762bc9c5bdf261b62590837af1158762cbb

  • SHA256

    6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3

  • SHA512

    951efc726866c8997e6b86269ea8f8b6cfb0bea0faabeeecc9773cad8c6023376c407505193a7be4e64853c25f56a9f4a4e6720bc99db1d169ba078540ca993d

  • SSDEEP

    24576:vjTUTc/NguVO/o5Y7N+qbmsbkh6wmB5Be5SfWVlJ1cKaXLK4r3f2:7TUTcbVO/o27kEhkgF5BekfWVlLUPr3

  Score

  10^/10

  agentteslanetwirebotnetcollectiondiscoverykeyloggerpersistenceratspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • NetWire RAT payload

    rat

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire

  • AgentTesla payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2