MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73
SHA3-384 hash: e17bf0273e010eaebe35d28a83fee9ad2c672af0150c92dc8751516af385ecf2345ce8859880184c6b61c8da891915c5
SHA1 hash: 9774c003dc1d4651236986c6662b9cab809a0596
MD5 hash: b91eaaa74952f0e4812f1178839bd028
humanhash: cold-early-october-kitten
File name:estatement_20_05_2023.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:413'932 bytes
First seen:2023-05-20 07:19:56 UTC
Last seen:2023-05-21 18:54:06 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:9Hmd+CKN/SoY+oYFt6C2EFN9vSUFUZEMFx5D3YzD2f5QdBCuNME3RZQ2OgKqZaqo:9Hmxw/kYFa4aFDlurj2cw
Threatray 2'976 similar samples on MalwareBazaar
TLSH T13B941851D9BD10C9F3E13D00D76E0AACEB6BB7E6443ACD284684893AFADD4029751BD3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.DownLoader.2781.12855.16638.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/646874ab4de36323094b18c9/reports/87b77d08-6391-4e41-a9b3-db799edc6132/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237865
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: MSBuild connects to smtp port
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870860 Sample: estatement_20_05_2023.vbs Startdate: 20/05/2023 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Yara detected AgentTesla 2->39 41 Sigma detected: MSBuild connects to smtp port 2->41 43 2 other signatures 2->43 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        process3 signatures4 53 VBScript performs obfuscated calls to suspicious functions 8->53 55 Suspicious powershell command line found 8->55 57 Wscript starts Powershell (via cmd or directly) 8->57 59 Very long command line found 8->59 13 powershell.exe 15 8 8->13         started        process5 dnsIp6 33 194.180.48.187, 49698, 80 LVLT-10753US Germany 13->33 35 192.168.2.1 unknown unknown 13->35 61 Suspicious powershell command line found 13->61 63 Creates autostart registry keys with suspicious values (likely registry only malware) 13->63 65 Writes to foreign memory regions 13->65 67 Injects a PE file into a foreign processes 13->67 17 MSBuild.exe 15 2 13->17         started        21 powershell.exe 12 13->21         started        23 conhost.exe 13->23         started        signatures7 process8 dnsIp9 27 bursamerkezlab.com 188.132.193.36, 49700, 587 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 17->27 29 mail.bursamerkezlab.com 17->29 31 3 other IPs or domains 17->31 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->47 49 May check the online IP address of the machine 17->49 51 2 other signatures 17->51 25 conhost.exe 21->25         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-05-20 07:20:11 UTC
File Type:
Text
AV detection:
3 of 37 (8.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=erxtnqntnf3ds6dojnd2u6nqj4wx4yaannlt5ecjglkekwhzjnzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
AgentTesla
1a6889803b766ce102a10973126f946e3618a0f80c1cee6d902304d2ffae06c5
AgentTesla
1ecd2d55db79d55f1923ac98e1edf145d5d4ab3260c9dfeb7fa0986aa5414c8e
AgentTesla
2e5e690fe5a9607c51574cd1e8444591a9dd524fafc78911ff9f09ee5242bff1
AgentTesla
3d95aad98b74679081fa1ed0a87e9f3a64668388a4927f6f210c65bdf6fb2e56
AgentTesla
511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
AgentTesla
a2568c55311566d7907ad76b9b833d696ca45eb06b06e581a1e673d4442c613e
AgentTesla
b4073b9936abd8f87ba521d74ecfed8e16ba3582bbf80a51da0da0c1982814ad
AgentTesla
c3d484451f9d0cf5aa68dfeceed67b5853cd2780512129668e9fdd98bc5490de
AgentTesla
+ 2'966 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230520-h55cxadg91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/246f36c1b369/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 246f36c1b3697639786e4b47aa79b04f2d7e60006b573e904932d44558f94b73

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments