MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db
SHA3-384 hash: 8d3ef48b53711f9c350540647cc613eb3f889214fb81278fb18b4d2694c8eb4293e08e2a3c4f781928cf7f09e81dfd4c
SHA1 hash: a6cce55afeb88fddea06676362f21795599700ca
MD5 hash: da2016b84be807eaed663a146e3428b8
humanhash: fish-pasta-solar-yellow
File name:transferencia,pdf.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:795 bytes
First seen:2023-06-09 06:55:46 UTC
Last seen:2023-06-09 08:28:28 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:aUTatXYGmWeTys8agTiSCJkQBf4jkOPBxmew7oFyVloA0QSqtBJcR+nMPDVaXtsZ:GYPWMgTiSCJSxnw8F+GASqtBJcR9nUS
Threatray 3'811 similar samples on MalwareBazaar
TLSH T16001F50839E4B0D652CDD2C0860424EB5C45982FDCA4A62F516D8D52AA20DF9CD2F7CF
Reporter lowmal3
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397174/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.12503.25676.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
sload
Link:
https://www.filescan.io/uploads/6482cd0460dff9842c54f14a/reports/a56ca73b-872c-42f0-95c2-ecc20f49a334/overview
Verdict:
Malicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251171
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 884185 Sample: transferencia,pdf.vbs Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 57 hurricane.ydns.eu 2->57 59 209.183.8.0.in-addr.arpa 2->59 85 Snort IDS alert for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 6 other signatures 2->91 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 105 VBScript performs obfuscated calls to suspicious functions 13->105 107 Suspicious powershell command line found 13->107 109 Wscript starts Powershell (via cmd or directly) 13->109 111 2 other signatures 13->111 16 powershell.exe 5 13->16         started        process6 signatures7 73 Suspicious powershell command line found 16->73 75 Encrypted powershell cmdline option found 16->75 19 powershell.exe 14 22 16->19         started        23 conhost.exe 16->23         started        process8 dnsIp9 61 hurricane.ydns.eu 85.209.134.253, 1960, 49692, 49693 CMCSUS Germany 19->61 63 tri.ydns.eu 19->63 93 Suspicious powershell command line found 19->93 95 Encrypted powershell cmdline option found 19->95 25 powershell.exe 16 19->25         started        signatures10 process11 dnsIp12 69 tri.ydns.eu 25->69 28 cmd.exe 2 25->28         started        process13 file14 53 C:\Users\user\AppData\...\Opmmjbnv.bat.exe, PE32 28->53 dropped 113 Very long command line found 28->113 115 Uses cmd line tools excessively to alter registry or file data 28->115 32 Opmmjbnv.bat.exe 15 14 28->32         started        36 attrib.exe 1 28->36         started        38 attrib.exe 28->38         started        signatures15 process16 dnsIp17 55 purecry.ydns.eu 32->55 81 Writes to foreign memory regions 32->81 83 Injects a PE file into a foreign processes 32->83 40 InstallUtil.exe 14 9 32->40         started        45 InstallUtil.exe 32->45         started        signatures18 process19 dnsIp20 65 mail.pushkinworld.us 45.148.122.42, 49700, 587 SKB-ENTERPRISENL Netherlands 40->65 67 race.ydns.eu 40->67 51 C:\Users\user\AppData\Local\Temp\saw.com, PE32+ 40->51 dropped 97 Tries to steal Mail credentials (via file / registry access) 40->97 99 Tries to harvest and steal browser information (history, passwords, etc) 40->99 47 saw.com 40->47         started        101 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 45->101 103 Drops PE files with a suspicious file extension 45->103 file21 signatures22 process23 dnsIp24 71 104.223.19.86, 49699, 80 ASN-QUADRANET-GLOBALUS United States 47->71 77 Antivirus detection for dropped file 47->77 79 Machine Learning detection for dropped file 47->79 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db/
Threat name:
Win32.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 09:01:49 UTC
File Type:
Text (VBS)
AV detection:
3 of 37 (8.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cn5myqldz5mvp77i7u2nocxtlwmw6rbp2jyax6tg6wewi7bca3nq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e5492854f8e9e427a594ac5938e7a798e084f7bc960a62fdfa076e3f929de57
AgentTesla
4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa
AgentTesla
5453c16d0530e3bf32f870269a92db07188195005273c769b05752f4bb7c18e1
AgentTesla
5777e088b6df69cb6a38e324ff037a955ecbe8cd04a941407ebf7c09c51fc4ef
AgentTesla
860da509a25f16cda9a80a5063d4b23bc6a702406fe3c94d69bfc10790219b4e
AgentTesla
8cb05af5d5848832ac7006071a842f3566196a891cd232ff3602b550803e73c5
AgentTesla
a7880f86bd0bbb436dde37febb6168a0fbc51978378c0f5fd8f024d3c6487a7c
AgentTesla
c8bfd9368340e6e057d18ac8d45eb758bff6fadc9550711d5e25e9f183cecee4
AgentTesla
e94f95707bc1ee3c1516cce43846a594acf5a1024ae7a76cb34afe5639fe95b5
AgentTesla
+ 3'801 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230609-hqcz4sbc34/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Sets file to hidden
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/137acc4163cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 137acc4163cf5957ffe8fd34d70af35d996f442fd2700bfa66f589647c2206db

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/397174/

Comments