Extracted

• • Target

    3cbf36d411a17825571754792d24ef1c527bf7a3dc1576542a9e3f7af17b25d8.vbs

  • Size

    2.2MB

  • MD5

    221ae816affed72c775e7c681581f58c

  • SHA1

    a3b8744f36d156f04924fabd3358e9bbb34b7b3c

  • SHA256

    3cbf36d411a17825571754792d24ef1c527bf7a3dc1576542a9e3f7af17b25d8

  • SHA512

    87c26ea88a3ff4bfd2af1ad1dbea1051275ba9bfd002c21c8fc7ea368a73bd990c5d9a942ac8a6b463ea05a852a58b0a82621af4909de4eacab3e85e5bb526ef

  • SSDEEP

    24576:smLOIxPEeSZIhEuOHZ0KrWet0kwoBVPVaZtZ0ehEp3oqJtwPowQkWL/1WBz8WRgB:dishEuaiLjEJetZXEKfy6gOamUSOuXS

  Score

  10^/10

  discoveryagentteslakeyloggerpersistencespywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2