Extracted

• • Target

    SAMPLE & SPECIFICATIONS.vbs

  • Size

    416KB

  • MD5

    2b5ab50d62a83323b1a116aa971a68bb

  • SHA1

    70be9ff6c13225a4d063e80573edf155d6bc4696

  • SHA256

    1630e7ed4231aa7e175b188202686e4402d447cf6aeee2397deac02aae5f9702

  • SHA512

    c8a4f643ec00b0a54b81b13ec03d704638060237ed790db0393ffc3053387c1ae7e1b4bf9b5eb81218557306357050b03515ce46a5f2828cc4538809a284663d

  • SSDEEP

    6144:KX0/Cp51RQewTGd2IwtnsJ2xNHTJpump7CF9gl44wVIuUV5EQGnG15UtGazMyNk:KX0/CP1KNTGIxbJpui7eB5ICQ91WRjk

  Score

  10^/10

  guloaderdownloaderagentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Blocklisted process makes network request

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2