Extracted

• • Target

    New Order-Tefanujofaman Trading Co. Ltd.vbs

  • Size

    43KB

  • MD5

    0c816e41fef783ec40ce2d7447d4c5dd

  • SHA1

    e0f156439fcba011174f92ef01a4a376b337314d

  • SHA256

    b828a42d31cb9bab2620c4c1def73499c542be4f19a802c08e9c0a0971192c3f

  • SHA512

    cb93ee840b711ad21cebb8f2d1f98aee087a166c320783de4913bfa70db5118780edd00d5df7712f9473452918f05d2ebad88f23280f10f97ded355b22bab7c3

  • SSDEEP

    768:B696nNHECqC68L+iyHNm4WH8xlDeVXQ8MuCzPvbG4O8/MsOAkieqfz7DIKFAR:g9Ge8LP4xxaQhlDDpUssRWnIKFAR

  Score

  10^/10

  executionagentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2