Trojan.Agent.OFXA

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Agent.OFXA
Signature status:	No Signature

Known Samples

MD5: 5a2b1b288916c9313d6d15eb6707b455

SHA1: ab1fd7a60fcdb6bcf795077bd2da17e09818c3e2

SHA256: 51B66AB9EFFE3DB96D1AF500ADC6A2C6663045F75C65240AD94A02281B37451D

File Size: 6.08 MB, 6078464 bytes

MD5: 90a57e6ec6c2f0c56d08db14cf2301a5

SHA1: 236c2f450a0eee033abec297eed7d2206939df3e

SHA256: 658C684284C8E1C39F4682BB548E81F248C7DEF863747AA22463192386FF777A

File Size: 2.95 MB, 2949120 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have security information
File has TLS information
File is 64-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)

IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Flexera
File Description	Setup Suite Launcher Unicode
File Version	31.0.24
I S Internal Description	Setup Suite Launcher Unicode
I S Internal Version	31.0.24
Internal Build Number	215864
Internal Name	SetupSuite
Legal Copyright	Copyright (c) 2025 Flexera. All Rights Reserved.
Original Filename	InstallShield SetupSuite.exe
Product Name	InstallShield
Product Version	31.0

File Traits

2+ executable sections
big overlay
Installer Version
x64

Block Information

Total Blocks:	3,622
Potentially Malicious Blocks:	1,458
Whitelisted Blocks:	2,164
Unknown Blocks:	0

Visual Map

0 0 0 x 0 x 0 0 0 x x x x x x x 0 x x 0 x 0 x 0 x x x x 0 x 0 x x 0 x x x 0 0 x x x x x x x x x x x x x x 0 0 x 0 0 0 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x 0 0 0 x 0 0 x x x 0 x x 0 x x x x x x 0 0 x x x 0 x x 0 0 x x x x x x x x 0 x x 0 x x 0 x 0 x 0 x x x 0 0 x x x 0 x x 0 x x 0 0 0 x 0 x x x x x x x x x 0 x 0 x 0 x x x x x x x x 0 x x 0 x x 0 0 x x 0 0 x x x x 0 x 0 x 0 x 0 x x 0 x x 0 x x x x x 0 0 x x x x 0 0 x x 0 0 0 0 x x x x 0 x x x x x x x x x x 1 0 x x x x 0 x 0 x x x x 0 x x 0 x x 0 x x x x 0 0 x x x 0 x x 0 0 x 0 x x 0 x x x x x 0 x x x x x 0 x x 0 x x x x x x x x 0 x x x x x 0 0 0 0 0 0 x 0 0 x x x 0 x x x x 0 x 0 0 x x x x x x 0 0 x x x x x x x x x x 0 0 x x x 0 x x x 0 x 0 x x 0 0 0 x x x x x 0 x x x 0 x x 0 x x x x 0 x 0 x x x x 0 0 x x x x x 0 x 0 0 0 x x x x x x x x 0 x x x x x x x x 0 0 0 x 0 x x x x 0 x 0 x x x x x x x 0 x x x x x x x x x x x x x x 0 x x x x x 0 0 x x x x x 0 0 x x x x 0 x 0 x x 0 x x 0 x x 0 0 x x x x 0 0 x x x x x x x x 0 x 0 x x x x x x x 0 x x 0 0 x x 0 0 x 0 x 0 x 0 x 0 x 0 x x x x x x x x x x x 0 0 x x 0 x x x x x x x 0 0 x x x 0 x x x x x x x x x 0 x 0 x x 0 x 0 x 0 x x x x x 0 0 0 0 0 0 x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x x 0 0 0 x 0 x x x x x 0 0 0 0 0 0 0 0 x 0 0 0 x x x 1 x x 0 x x x x x x x x x x x 0 x x 0 0 0 0 0 0 0 0 0 0 x x 0 x x x x x x 0 0 x 0 0 0 x x 0 0 0 x x x x x x x 0 0 x x 0 x x 0 x x x x x x x x 0 0 x 0 x 0 x x 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 x 0 0 1 0 0 x x x x 0 0 x x x 0 x x x 0 x x 0 0 0 0 x 0 x 0 x 0 x 0 0 0 0 0 0 x 0 x 0 0 0 0 x x x x x 0 x 0 0 0 0 0 0 x x 0 0 x 0 1 x 0 x x 0 x x x x x x 0 x 0 x 0 x x 0 0 x x x x x x 0 0 0 0 0 0 0 0 0 x x 0 x x x x 0 0 0 0 0 0 0 1 0 0 0 x x 0 x 0 x x x x 0 x x x 0 0 0 x x x x 0 0 x x x x 0 x x x 0 x x x 0 0 0 1 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 x x 0 x x x x 0 x 0 0 0 0 0 0 x 0 x 0 0 1 0 0 x 0 x x x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x 0 x x x x x x x x x x x x 0 0 0 x x x x 0 x x x x 0 x x x x x x 0 x x 0 x x x x x x 1 0 x x x x x 0 0 x x x 0 0 0 x x x x x x x x x x x x x x x x x 0 x x x x 0 0 0 x x x x x x x x 0 x x x x x x x x x x 0 0 0 x x x 0 x x 0 0 x 0 0 0 x x x x 0 x x x x x x x x x x 0 x 0 0 0 0 x x x x x x x x x 0 x x 0 x x x x x x x x x x 0 x x x x 0 x 0 x x x x x 0 x x x x x x x 0 x x x x x x x x x x x x x 0 x x 0 x x x x x x x x x x x x x 1 x x x x 0 0 0 0 0 0 x x x 0 0 x x x x x x x 0 x 0 x x 0 x 0 0 x x 0 x x x 0 0 x 0 x x x x x x x x x x 0 x x 0 x x x x x x 0 x 0 x x x 0 0 0 x x 0 0 0 x x x x x x x x 0 x x x x x x x 0 x 0 x x x x x x 0 x x x x x x x x x x 0 x x x 0 x x x x x 0 0 x x x x x x x 0 0 x x x x x x 0 x 0 x x x x x 0 x x x x x x x x 0 x x x x x x x x x x x x x x x 0 0 x 0 0 0 x 0 x x x x x 0 x 1 x 0 0 x x x 0 x 0 0 0 x x x x x x 0 x x x x x x x x 0 0 0 x 0 x x x 0 0 0 0 0 0 x x x x x x x 0 0 0 x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 x x x x x 0 x 0 x 0 x 0 0 x x x x x x x x x x x x 0 x x 0 0 x x x 0 x x 0 x x x x 0 x 0 x x x 0 x 0 0 0 0 x 0 0 x x x x 0 x x x x x x x x x x x x x 0 x 0 x x x x x x 0 0 0 1 0 0 0 x 0 1 0 0 0 0 0 0 0 x 0 0 0 0 x 0 x 0 x x x 0 x 0 x 0 x x x x x x x x x x x x x x 0 0 0 x x x x x 0 0 0 0 x x x 0 x 0 0 0 0 0 0 0 x 0 0 x 0 x x x x x x x x x x 0 x x 0 x x x x x x x x 0 x 0 x x x 0 x x x x 0 x x x 0 x x x x x x x x x x x x 0 x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x 0 x x x x x x 0 x x 0 x x x 0 x 0 x x x x x x x x x x x 0 x x x x x 0 x x x x x x x 0 x x x 0 x x 0 x x x x x 0 0 x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 x x x x x 0 x 0 x x x x x 0 0 x 0 0 0 0 0 x x 0 x x x x x x x x x x x x x 0 x 0 x x 0 x x x 0 x x x x x x x 0 x x 0 x x x x x x x 0 x x 0 x x x x x 0 x 0 x x x x x x x 0 x x 0 x x x x x x x x 0 0 0 0 0 x x 0 x x x 0 x 0 0 x 0 0 0 x x 0 x x 0 0 x x x x x x x 0 0 x x x x x 0 x x x x x x 0 x 0 x 0 x 0 0 0 x x 0 0 x x 0 x x 0 x 0 x x x x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x x 0 0 0 0 0 0 x 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x x x x x x 0 x x x x x x 0 x x x x x x x x x x x x x x 0 0 x x x x x 0 0 x x 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\{41feb5bc-1c53-4721-a973-ea2d75059def}\_isaf5d.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\{64bbe9f4-5c84-47a8-ae6c-b162f1a80bd5}\_isa52d.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	쿚勢䮤ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	イ勥䮤ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	罨⯠孪ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ॸ⯪孪ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant Show More ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTerminateProcess ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN
Process Shell Execute	CreateProcess WriteConsole
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Process Terminate	TerminateProcess
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							"C:\Users\Bmkdlyzb\AppData\Local\Temp\{64BBE9F4-5C84-47A8-AE6C-B162F1A80BD5}\_isA52D.exe"  -IS_temp ORIGINALSETUPEXEDIR="c:\users\user\downloads" ORIGINALSETUPEXENAME="ab1fd7a60fcdb6bcf795077bd2da17e09818c3e2_0006078464"


							"C:\WINDOWS\system32\cmd.exe" /c del "C:\Users\Bmkdlyzb\AppData\Local\Temp\{64BBE9F4-5C84-47A8-AE6C-B162F1A80BD5}\_isA52D.exe"


							WriteConsole: The system canno


							"C:\Users\Dvombplc\AppData\Local\Temp\{41FEB5BC-1C53-4721-A973-EA2D75059DEF}\_isAF5D.exe"  -IS_temp ORIGINALSETUPEXEDIR="c:\users\user\downloads" ORIGINALSETUPEXENAME="236c2f450a0eee033abec297eed7d2206939df3e_0002949120"


							"C:\WINDOWS\system32\cmd.exe" /c del "C:\Users\Dvombplc\AppData\Local\Temp\{41FEB5BC-1C53-4721-A973-EA2D75059DEF}\_isAF5D.exe"

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Agent.OFXA

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Mutcitic.co.in

Denetight.com

Unlimited Defender Firewall Alert

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen