Extracted

• • Target

    9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb.vbs

  • Size

    10KB

  • MD5

    420b31e03f0aac291050345120dbb1c8

  • SHA1

    e0968e51e1f6d8f3335ef9b9d5dea2c3f2253079

  • SHA256

    9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb

  • SHA512

    b5d3d8a5fc03ffb54a166b30f4bcdb1073fbdc08df5013b170321199f1939de630f596d058f44a5c4d9bae8f7f3130a6cd3b1d5a11d7f1d9753aee926f0dd7ac

  • SSDEEP

    192:LIOoWa+tZFy6AA+1WHfa1vD7nSruBun2mF:LmW7y6AASOE7nSr0uBF

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2