MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc
SHA3-384 hash: b7ab1b3027ec0f83e536555d54d61517101b74617b1242b7ee191e88288c2c8faf574f037742ba5b101220c3f3cc7196
SHA1 hash: 6f7bf5b871e413f40f1c23e7953251d0fabbbf95
MD5 hash: eff515cd80fca123c65f7ed20d7f071f
humanhash: georgia-chicken-ceiling-spring
File name:HWX.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:275'722 bytes
First seen:2023-08-31 13:12:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:t7jmLQQJm7ILm5BmZMLpRKsEAlOb4b5bdZ7ZmZ8Z7V:t7jmLQQJm7ILm5BmZMLp4sEAT
Threatray 5'470 similar samples on MalwareBazaar
TLSH T11144C11121DAA04CB273BF835BCD75E99F5BF7B22B2A187E242803179722D54CE69731
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445475/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-JK.12882.885.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
sload
Link:
https://www.filescan.io/uploads/64f091df7444d2eb09f40e12/reports/4770b9ab-5023-4561-9335-d3340c6e6e12/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Hworm
Link:
https://www.hybrid-analysis.com/sample/26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301049
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and load assembly
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301049 Sample: HWX.vbs Startdate: 31/08/2023 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 7 other signatures 2->81 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 91 VBScript performs obfuscated calls to suspicious functions 8->91 93 Suspicious powershell command line found 8->93 95 Wscript starts Powershell (via cmd or directly) 8->95 97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->97 13 cmd.exe 1 8->13         started        16 powershell.exe 7 8->16         started        99 Very long command line found 11->99 18 powershell.exe 11->18         started        20 cmd.exe 1 11->20         started        process5 signatures6 117 Wscript starts Powershell (via cmd or directly) 13->117 119 Uses ping.exe to sleep 13->119 121 Uses ping.exe to check the status of other devices and networks 13->121 22 cmd.exe 1 13->22         started        25 conhost.exe 13->25         started        27 PING.EXE 1 13->27         started        123 Suspicious powershell command line found 16->123 30 powershell.exe 14 15 16->30         started        32 conhost.exe 16->32         started        34 powershell.exe 18->34         started        36 conhost.exe 18->36         started        38 cmd.exe 1 20->38         started        40 2 other processes 20->40 process7 dnsIp8 83 Wscript starts Powershell (via cmd or directly) 22->83 42 powershell.exe 9 22->42         started        85 Uses ping.exe to sleep 25->85 55 127.0.0.1 unknown unknown 27->55 57 uploaddeimagens.com.br 188.114.96.7, 443, 49725, 49767 CLOUDFLARENETUS European Union 30->57 59 94.156.161.167, 49726, 49769, 80 NET1-ASBG Bulgaria 30->59 87 Writes to foreign memory regions 30->87 89 Injects a PE file into a foreign processes 30->89 46 RegAsm.exe 15 7 30->46         started        61 192.168.2.1 unknown unknown 34->61 49 RegAsm.exe 7 34->49         started        51 powershell.exe 9 38->51         started        signatures9 process10 dnsIp11 53 C:\Users\user\AppData\Roaming\...\kGB.vbs, Unicode 42->53 dropped 101 Suspicious powershell command line found 42->101 103 Drops VBS files to the startup folder 42->103 105 Found suspicious powershell code related to unpacking or dynamic code loading 42->105 63 awelleh3.top 185.198.59.26, 49730, 49733, 49772 HSAE Netherlands 46->63 65 mail.awelleh3.top 46->65 73 2 other IPs or domains 46->73 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->107 109 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->109 111 May check the online IP address of the machine 46->111 67 mail.awelleh3.top 49->67 69 173.231.16.76, 443, 49770 WEBNXUS United States 49->69 71 api.ipify.org 49->71 113 Tries to steal Mail credentials (via file / registry access) 49->113 115 Tries to harvest and steal browser information (history, passwords, etc) 49->115 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 13:12:49 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eylwebjbd7oopljuz4inolyxr4len2it4nupb5n4yms6kquknhga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de
AgentTesla
60c6242057a2ed2a102be819922a807139becf6b1cda2fa9eeed873fc6320623
AgentTesla
a06f443a1ca6cbaf9e8cd3a2ff0e7ec0d982d654709e952fc68621450926c509
AgentTesla
b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e
AgentTesla
be153a4036bff7a16febb0821fa79f035bfaed137c0c2a999fcd33e04859a7cf
AgentTesla
d62a3c103767f15ab470a20b591eb58d278cd500b5bf53bec7b3cca327f71c21
AgentTesla
d7093e702ca2995bfe864781a9476419a95efcd51d29805ce721021da24e4e94
AgentTesla
e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120
AgentTesla
f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf
AgentTesla
+ 5'460 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230831-qf3rsafc37/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/26176205211fdce7ad34cf10d72f178f1646e913e368f0f5bcc325e5428a69cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/445475/
  
URLhaus
https://urlhaus.abuse.ch/url/2708639/

Comments