MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d
SHA3-384 hash: cd74c6ed9c0fe54048732fe01ddfb575359c7538d3e09df160747d37b74d921b7b1e8c1da3f68a4a5429a41919f13bee
SHA1 hash: 86e8c5ac45d27b92268e8d0b78335491bbce8ba8
MD5 hash: 7520862f75d82d3f3083c8a983fc85cf
humanhash: princess-item-double-table
File name:7520862f75d82d3f3083c8a983fc85cf.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:7'921 bytes
First seen:2024-07-05 05:15:30 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:K4No7NxNmNhNaTAxiNaNNNXNDRNoNHNhNiNTTXx:3SfoX+0zBziRjkT
TLSH T16CF1B00C66586C23D3FCC8641754F6392EDD86CB10246EBBF0E5DB47EE2AAC6901DE40
Reporter abuse_ch
Tags:AgentTesla js

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.1838.1218.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668783624a5832d180b73683win10vpnfull_triage
Tags:
Execution Infostealer Network Stealth Trojan Agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/668781956b8dba248b49944a/reports/04f2b683-8c45-4281-9976-86c8d7c3332c/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1467969
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467969 Sample: DVycy79WuR.js Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 29 smtp.gmail.com 2->29 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 9 other signatures 2->47 8 wscript.exe 4 15 2->8         started        signatures3 process4 dnsIp5 31 192.210.215.11, 49710, 80 AS-COLOCROSSINGUS United States 8->31 21 C:\Users\user\AppData\Local\Temp\DNQUBU.js, Unicode 8->21 dropped 23 C:\Users\user\AppData\Local\...\mkl[1].js, Unicode 8->23 dropped 49 System process connects to network (likely due to code injection or exploit) 8->49 51 Benign windows process drops PE files 8->51 53 JScript performs obfuscated calls to suspicious functions 8->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 13 wscript.exe 2 8->13         started        file6 signatures7 process8 file9 25 C:\Users\user\AppData\Local\Temp\tqxse.exe, PE32 13->25 dropped 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->57 17 tqxse.exe 2 13->17         started        signatures10 process11 dnsIp12 27 smtp.gmail.com 142.251.173.109, 54850, 54856, 54857 GOOGLEUS United States 17->27 33 Antivirus detection for dropped file 17->33 35 Multi AV Scanner detection for dropped file 17->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->37 39 4 other signatures 17->39 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-07-04 09:27:44 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbxf2i2wyv2vltqkuhcv3kxa36dbkncdg2yr4scimy2yd7kv246q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240705-fx5ycswbpb/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Java Script (JS) js 106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2907626/
  
Delivery method
Distributed via web download

Comments