Extracted

• • Target

    Transf....vbs

  • Size

    123KB

  • MD5

    84f3d45749a8fbf516a9fa3366b29e26

  • SHA1

    6c5c766ceae655caf5468da5b41346eec0602cc7

  • SHA256

    7d4aad4ccac671a9a98a5205380b89553b30fccbbf90b477a3e19cb4f9d2c55f

  • SHA512

    5238bb38e86e38426b2ceba742cb6732d2877e5c8b27446425df2b7a9895a429dd6c51d2fced2a3c2ec65e54c655e5ba9634a391565183be55666242698b0914

  • SSDEEP

    3072:FXDq3Cj8LqSZ9Qy7jPLWCuHQq0mug5yzf:1Dw/mg9QyXYHn0muPT

  Score

  10^/10

  agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Blocklisted process makes network request

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2