MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d
SHA3-384 hash: 0c9083a4d8966ec5feb9f36acb27064fa795ca26151cdbe90061ea925e7ccf7e5a1c21e6e53e05a9c513f97ac385c78d
SHA1 hash: 61dfde08e0c5ef46425f0a4f8467d85a3429b5e9
MD5 hash: 237497a5c5b52cb31e71dc622b95fd6e
humanhash: may-vegan-north-texas
File name:C011957_OC2109168_10 28 2021,pdf.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'035 bytes
First seen:2021-10-28 05:37:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:TaVLMUVb9wCxMgmxC6gai7e8I90xAUcXi5xii/XxBFN8U+3oFnzbH+IrTC:mV4UvXPG1stK0xAU5iexBFN0oFnfH+8C
Threatray 12'343 similar samples on MalwareBazaar
TLSH T1C011ED21EC67FFE30821E795A0C846EEC1F859C407A44CBC1089344A28AE07E2AAD4B5
Reporter lowmal3
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200790/
Detection(s):
SecuriteInfo.com.VBS.Agent.AGF.24365.6227.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
75%
Tags:
powershell
Link:
https://www.filescan.io/uploads/617a373ca9d585e6d53c9e28/reports/6157463a-8b1b-4ea5-ad7f-336515851ac6/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878311
Signature
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d/
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 05:38:05 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atvxwka5j5pdozm6ffkussi5obf3eleu6g76u6ypecdqd7iv6fwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f
AgentTesla
6200e6a721132d15b787150d21ed3d1a153dcafa0068d7785286a84820d2cb94
AgentTesla
75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f
AgentTesla
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
AgentTesla
b9c0b6dd76212644b551d5b8ea745b3f14f6c92365e767836382a4c8ea54906b
AgentTesla
be210663fa2f732768adccd12d26b56cc23740d433481f748ce7401c75f41e72
AgentTesla
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
AgentTesla
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
AgentTesla
+ 12'333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211028-gbqf8ahebj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://origenistic-account.000webhostapp.com/bypass.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200790/

Comments