Extracted

• • Target

    f56414caa063dd9e04d5fd62d570ce003b1b469d5320ff5df5c62a2ebfcdb5fd.vbs

  • Size

    10KB

  • MD5

    0ccafea880ed43555fdcba60edf93559

  • SHA1

    01cb51d525785dd3a44f48e35a47044a8beb4d7e

  • SHA256

    f56414caa063dd9e04d5fd62d570ce003b1b469d5320ff5df5c62a2ebfcdb5fd

  • SHA512

    37b8e04ab367816d9bab3087adf192cdbdbac99e49205cd7c89de1916a52f4457217995d18185c66a926a58e97c2be5aaeffc696b879f6e9101be88c3c29e84c

  • SSDEEP

    192:bN5CdCtmn8iF5ofmmC3dFComvOLCem903ujbOaHRDj7LgvUku1sa6/69yc+A0:bqCtmNMhmVqlzLgXiAc+A0

  Score

  10^/10

  agentteslakeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2