MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0025b90ba143e8c35d7bd9f1943163ba001d62ea171e83ecdf4d6d42d2077189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0025b90ba143e8c35d7bd9f1943163ba001d62ea171e83ecdf4d6d42d2077189
SHA3-384 hash: 62b4fbda01c057e30dc29c0bc58b7335d63adc2502f4cdf60f016c246ad2249f3a9eb9e5d46f17c83cbb5d42850c036d
SHA1 hash: 9b0099b262d7b69d40ade71fd334d9e957f12d2e
MD5 hash: f0eab8bd06ca0ede116f5c767c6d385c
humanhash: hot-king-whiskey-mockingbird
File name:Proof of payment.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:936'624 bytes
First seen:2023-06-13 10:16:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:aQvgYcpa5U+ogsUJW4Wrle/PhG+/kery+bGayRnHootn4cmpyQbgl2b/uKu7sPG/:9gYcpl+og0S70RnHooqr/jZqem
Threatray 3'602 similar samples on MalwareBazaar
TLSH T1B8154961BAFF40647077EA5746EE32294A6AF66C6379D2E9784C03195BBFD800D03F12
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398215/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.62499.24446.6721.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6488422308b287b7595b69c4/reports/9cd97690-69cb-4648-af15-0ee881189b11/overview
Verdict:
Suspicious
Labled as:
VBS/YAV.Minerva
Link:
https://www.hybrid-analysis.com/sample/0025b90ba143e8c35d7bd9f1943163ba001d62ea171e83ecdf4d6d42d2077189
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253558
Signature
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886577 Sample: Proof_of_payment.vbs Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 6 other signatures 2->50 7 wscript.exe 1 2->7         started        process3 signatures4 52 VBScript performs obfuscated calls to suspicious functions 7->52 54 Suspicious powershell command line found 7->54 56 Wscript starts Powershell (via cmd or directly) 7->56 58 Very long command line found 7->58 10 powershell.exe 14 7 7->10         started        14 cmd.exe 1 7->14         started        process5 dnsIp6 34 yorkrefrigerent.md 195.178.106.125, 443, 49712 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 10->34 60 Writes to foreign memory regions 10->60 62 Injects a PE file into a foreign processes 10->62 16 RegAsm.exe 2 10->16         started        20 conhost.exe 10->20         started        64 Wscript starts Powershell (via cmd or directly) 14->64 66 Uses ping.exe to sleep 14->66 68 Uses ping.exe to check the status of other devices and networks 14->68 22 PING.EXE 1 14->22         started        24 powershell.exe 7 14->24         started        26 conhost.exe 14->26         started        signatures7 process8 dnsIp9 28 itzayanaland.com 107.161.75.133, 49713, 587 IWEB-ASCA Canada 16->28 30 mail.itzayanaland.com 16->30 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->38 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 32 127.0.0.1 unknown unknown 22->32 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0025b90ba143e8c35d7bd9f1943163ba001d62ea171e83ecdf4d6d42d2077189/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-06-12 16:38:32 UTC
File Type:
Text (VBS)
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aas3sc5bipumgxl33hyzimldxiab2yxkc4pih3g7jvwufuqhogeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07f01993306030d708dc2b5b42d4a6aef41c0c2f597aca066138689a6722a25d
AgentTesla
158d9c5a8c7290c638708e4843cb732e395c1ef4d782e1425220cb54467f27dd
AgentTesla
5e28056a4a8f3275f77157f332981a439fa4f2dc61f11f687b6526d1415eacef
AgentTesla
8f4a4002934b09591e8b6f95a9ec20ff0ae4ddc48dd869bd76fc9d9f9c59f72e
AgentTesla
9c9010fa0ccf689b61177b86c2ef95eb6dd40313653dc41b769afa14f59ee907
AgentTesla
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309
AgentTesla
bfd49377da02a9d2e1d613b047e59af4a8feca2b3086bb478db13ce99c08aa8f
AgentTesla
bfdc1ff00762627c6a8a95344bf549ea2ed0d63d9c0375584a608201f1b5d84e
AgentTesla
c258adf0015f1607b2b09594cbec41de70d816829820695f8c9778ec4b11d553
AgentTesla
d858c46195e818b01623144579c503c17a2bcfe6c2a38cff995f2bf720e2b06b
AgentTesla
+ 3'592 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230613-mbd13sgc5z/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0025b90ba143/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0025b90ba143e8c35d7bd9f1943163ba001d62ea171e83ecdf4d6d42d2077189

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398215/

Comments