MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
SHA3-384 hash: 36f6af6f3abae9b32f44a9119d1ff7951ee2bed289af4b250acc89518d188b2360ea381b8918cb225bd29aebb27d8b16
SHA1 hash: 113e4cba629581a01f93fc7892d2ffb01cf273ae
MD5 hash: 611598bbc65ab909914bd9638563289c
humanhash: table-bakerloo-item-rugby
File name:nuevo pedido 008794897.xlsx.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:601'120 bytes
First seen:2023-05-19 16:13:21 UTC
Last seen:2023-05-21 18:54:34 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:9Hmd+CKN/SoY+oYFt6C2yadzJCPKFLhO2DzPbb0D0JkZrIWWCFBs2:9Hmxw/kYFqdzJoKFT/PP0D0J2vH
Threatray 2'975 similar samples on MalwareBazaar
TLSH T136D47011E1CAA494F3FB7F0053AC72D73B2BB7BD6A30985D1349866D21DA8408DA477B
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.ocp.mx:21

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.VB.ObfDldr.4.A96B8DE6.20747.24433.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6467a04cce332d1c1b5f7124/reports/d7795ff4-374f-4e93-98c1-367e878386a6/overview
Verdict:
Malicious
Labled as:
GT:VB.ObfDldr.4
Link:
https://www.hybrid-analysis.com/sample/168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237387
Signature
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-19 16:14:05 UTC
File Type:
Text
AV detection:
6 of 37 (16.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2fdk2cemmzq2gk4il5dverln5pxnqkifbmsjho63vo3kkmkjw4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
005db23050895f239546d175465a49e57e399c1a880b9f585eebcce477f4e872
AgentTesla
0d04d01b0189a6d129f0f8dab1afdd3aeef49eafad1d208c93f7bc3dc0b36394
AgentTesla
1b07cef24d36e5bad35ec6329471bad42b1cfa74fb304d1b855c81882b213b51
AgentTesla
1ecd2d55db79d55f1923ac98e1edf145d5d4ab3260c9dfeb7fa0986aa5414c8e
AgentTesla
2547bb68679d447dbde8f5631c385ba265aaf1dd9a8b3807e77ad475ad15adfa
AgentTesla
316483bf87a8932bf0d84dd527cce96da936a5612b005f5051b2656c39a9be62
AgentTesla
7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64
AgentTesla
c7e7c62f3d9ba103218de8ab0961e23821e91df67896cf7d450f39f535ca94f5
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
+ 2'965 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230519-tpm98shd61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/168a35684463/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments