Extracted

• • Target

    b4f1081d88ac2d9a768d94a5aa3c685644835336f5642637005b4f74db407a94.vbs

  • Size

    4KB

  • MD5

    da84b84acab58afbc2549d0313d7a27d

  • SHA1

    f9b2f7c8a1095a0a92b1c11ffad1db6f3e60ddcd

  • SHA256

    b4f1081d88ac2d9a768d94a5aa3c685644835336f5642637005b4f74db407a94

  • SHA512

    ed14edb9c28960454971bc4766109cff1e3195258fb1c2c15d25ec61592c49cef9b5afe01ca477254f73d16b81c0b9a2093bb35fb78861ae11e98876e96a3029

  • SSDEEP

    96:QSUGGWOfwEq8apLbxVgsUkx0PONZDYwAqn/Q6oej2EjsCXdLKUfp:QS7GWC6Lb7dFGWNZDzhnouj2EQCXFbfp

  Score

  10^/10

  agentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Windows vault credential objects. Observed in infostealers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables referencing many file transfer clients. Observed in information stealers

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2