Extracted

• • Target

    Arrival_Notice.vbs

  • Size

    43KB

  • MD5

    0e3295691efe2da3578ec4f544b89757

  • SHA1

    e3e3f0cf04401ffdf66168b9b21d1d3ad16b1372

  • SHA256

    27f470d48e6d73fcb325acd8abdf5df21eec5f6d6fb778dae97c88af683f97a1

  • SHA512

    f349edc63d02a00409aefbbe0858b01784ff84b14b300b8aff6659a7038207d35afbdfe3a55c2bc2406c8d150423636dd62f933323b30e5d5c47a46be66f8a13

  • SSDEEP

    768:B2M/cNHApz4hE6H7SjuZGkCa44m9DeEQWctNrjG5c8oHM73gPArGeqf57DDV7AE:QMixPbyda4VQnt1q53p73nNUnDV7AE

  Score

  10^/10

  agentteslaguloadercredential_accessdiscoverydownloaderkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2