Extracted

• • Target

    EQORY0083009.vbs

  • Size

    24KB

  • MD5

    27cbf4229a58f07dcd2a8a025c7d9e06

  • SHA1

    72d1d19362e929e6e8b2c666996ead710e4ce57d

  • SHA256

    65f3918bbabd50999d9e2fede1ab068d5b8df7019f1210bc72bda826c693c1a9

  • SHA512

    3d42afe7b0c4e8ce6fcda3bbb05870c8a69774590e639b8ed3bf71779cbf3e762c0a4b3dd1fc5a966f413e6499c9c61242ecc0e1e63395dc278731cf06160767

  • SSDEEP

    192:eMIPpW99qA+mDnm1A1w1FgrsyK4sezv4zHv7vXCd0nApy2OsEALWdJYHLlmpw3nq:+PyqjIP9CdAssElOkUc2DmJXM9h8HXGy

  Score

  10^/10

  agenttesladiscoverykeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2