Extracted

• • Target

    9af2116f48bf8770c286118e8570378987ccb3d76c214790deb92f9b2b7ae4a2.vbs

  • Size

    1.9MB

  • MD5

    4369ed90bc7fa07789bd41b3be7ca95b

  • SHA1

    5ce66b652029364496886c36bcc945a4a1d89d08

  • SHA256

    9af2116f48bf8770c286118e8570378987ccb3d76c214790deb92f9b2b7ae4a2

  • SHA512

    79833243bc5fe725a843c88af29f17c53d3325895d021c7dacb1c05d4aae4619fbac7f2a6ead2a3acefbb22987b775f66df052cac6425cef560a363a84398a36

  • SSDEEP

    24576:cX+DnQcOHaa6pPUXFQ/ubpAAwLHhqFCYeLdTyttwPgFQHOJ8y3yY0XUlgF+/f2ta:cqEFF6OT8P4FubM

  Score

  10^/10

  discoveryagentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2