user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:VBS/AgenTesla.RR!MTB
Trojan:VBS/AgenTesla.RR!MTB - Windows Defender threat signature analysis

Trojan:VBS/AgenTesla.RR!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:VBS/AgenTesla.RR!MTB
Classification:
Type:Trojan
Platform:VBS
Family:AgenTesla
Detection Type:Concrete
Known malware family with identified signatures
Variant:RR
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family AgenTesla

Summary:

This threat is a VBScript dropper for the AgenTesla infostealer, a known credential-stealing trojan. It uses legitimate Windows tools (LOLBins) and system hooking to execute its payload, establish persistence via scheduled tasks, and steal sensitive user information.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - GetCurrentDirectory (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: OFFERTA 2625.VBE
8c14b765e8ecbe82f756ec0a78350d4c51ec083878978c61d7c78bca434dae3a
01/12/2025
VirusTotalDownload Sample
Filename: SAREGRH54657777786576.VBE
50893d013ca4d67187da12c1e367bbee09dba6fced51addffff9a8ba4b824a71
20/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected host from the network. Run a full antivirus scan to remove all malicious components. Investigate and remove persistence mechanisms like scheduled tasks. Reset all user credentials stored or used on the machine, as they have likely been compromised.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 20/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$