Extracted

Extracted

• • Target

    ORDER-230712_pdf.vbs

  • Size

    8KB

  • MD5

    8ad5ed0d841eccc69af3ae683181c8ba

  • SHA1

    0431b124ba8702033a7c8afdc55405ce1189ca73

  • SHA256

    2ebdc59e3bcf5477d0decb1a2a5079cafbf49295c2344f735ea42e44ad99f5b2

  • SHA512

    a4640470d44bc47709b83cea2c25b1dddafdf57820269142d4dbc91586c87a314d913eea54daa6d4756b710bd8d0f52d928467b8276b2d072c859d08cc38051d

  • SSDEEP

    96:V0Cfj4peBTHGxZem9WtqQGx9wtehFhesNhU4/i4eo4lhAv4HFje:14aSNW419FLPfBwr9lje

  Score

  10^/10

  agentteslawshratcollectionkeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2