MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0
SHA3-384 hash: 293128e18a576a61697e5bfa8d88af6daddd78dafd802b91980330073fc40a9a4edc505d1296c8312985b4f082b31c23
SHA1 hash: 1508131ce5e989e154be0fe999008577eb300629
MD5 hash: 96f1b6416e83dd1f48e73716e7a2c6a7
humanhash: pennsylvania-johnny-comet-stairway
File name:PO-679979585774.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:514'148 bytes
First seen:2023-07-24 15:13:40 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:Zn+UMxzakHMKM7h3XztZvLtSv3aL3YTDCkFxFps8aht:jMxzaka7hlSUYXCkFxFps8aht
Threatray 5'167 similar samples on MalwareBazaar
TLSH T18EB4B3517EEF600475B2BE9B1BE529A54B3B75311D75D46E304E060A0BEBD80ACA0F3E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431202/
Detection(s):
SecuriteInfo.com.VBS.Agent.BBN.17990.3758.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
VBS/Agent.BBN
Link:
https://www.hybrid-analysis.com/sample/153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278655
Signature
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278655 Sample: PO-679979585774.vbs Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 4 other signatures 2->51 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 61 VBScript performs obfuscated calls to suspicious functions 8->61 63 Suspicious powershell command line found 8->63 65 Wscript starts Powershell (via cmd or directly) 8->65 67 Very long command line found 8->67 15 powershell.exe 15 8 8->15         started        process5 dnsIp6 35 yorkrefrigerent.md 195.178.106.125, 443, 49699 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 15->35 37 Suspicious powershell command line found 15->37 39 Creates autostart registry keys with suspicious values (likely registry only malware) 15->39 41 Writes to foreign memory regions 15->41 43 2 other signatures 15->43 19 RegSvcs.exe 2 15->19         started        23 powershell.exe 12 15->23         started        25 conhost.exe 15->25         started        signatures7 process8 dnsIp9 29 solucionesmexico.mx 65.99.252.58, 49700, 587 AS-TIERP-36024US United States 19->29 31 mail.solucionesmexico.mx 19->31 33 192.168.2.1 unknown unknown 19->33 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->55 57 Tries to steal Mail credentials (via file / registry access) 19->57 59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 27 conhost.exe 23->27         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 13:02:29 UTC
File Type:
Text (VBS)
AV detection:
6 of 38 (15.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cu6d7o3tyrkoa552esehd4ivt6gwzhpunvpufu22y3mzoe5lbgya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0025fa6f194a33862ff4241a1fefed9477645cb36cb99e65d05b639b29dcdcdd
AgentTesla
37862b04beaaaf7007d5f3095ba345034ccaf5ce574edb01a76f97e895ecbb2a
AgentTesla
5fcef5ddef0a34f70e1e879e60868a8bec88ccd0071a9895961172f3a9c6601f
AgentTesla
6992a8b08648143a6b7ba3ed6ddd48de22dcf235f54d6f1f9c549d36536f8202
AgentTesla
7a4d39a7259028f1b42a0eff7414a273057dc2b880108d3152c5b20e02c6a407
AgentTesla
998c60c52b5c1e1362bf223149d62247f6be21e2f5e3ea352f29d5384f532a1d
AgentTesla
a985eb8e5d4a1dddace999e1b03f11a6cf3bfa210678f19165134441f80c5ba4
AgentTesla
b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236
AgentTesla
c6dc183e0a2208e4a95bbed33b18f8ec0fac159bc5aab10490df7d2dd78026b4
AgentTesla
dfa11369db60fbe16a9b26b74db1537fb185888fe7a5ec2058ed88f7866a7f95
AgentTesla
+ 5'157 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230724-smckaaeg77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/153c3fbb73c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/431202/

Comments