MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30daa784a59aed004a6a7e03981997cbc1b6db66ddc58c6dbec06e2f0eb70d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30daa784a59aed004a6a7e03981997cbc1b6db66ddc58c6dbec06e2f0eb70d7a
SHA3-384 hash: d604f6d945f2666687f223b81ce17222cf8dea77a4d9e3dba22331194f610ccf9ee401b2d4edd35e4c2014a5d8f71efb
SHA1 hash: cdc47a5af1786a7560aa4dae1f80cb682bab28fc
MD5 hash: 34cad9618f1e2a6e34ed2f71532b6e18
humanhash: bulldog-magnesium-diet-washington
File name:Order005_PDF.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'743'951 bytes
First seen:2022-04-14 14:42:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:TiCVZfvbhAefTfnhfru4GTWTMQxhK4yx/zQ5Fa1IR5fyXx/7R7NMxAuRJT30s:Djjhbxre4yE61p/7QN
Threatray 16'186 similar samples on MalwareBazaar
TLSH T1CB85E03666E37C49BABF1F857A402C564CA42D9F93E2850CF6C06B9914E7C24EF198F1
Reporter notajungman
Tags:AgentTesla Telegram vbs


Avatar
notajungman
inside rar file

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263773/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/625832fa482f2f41caaea71f/reports/f5da171d-c507-40fc-af8c-c05d98ff4885/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976971
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609458 Sample: Order005_PDF.vbs Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 8 other signatures 2->65 7 wscript.exe 3 2->7         started        11 hmltog.exe 6 2->11         started        14 hmltog.exe 2 2->14         started        process3 dnsIp4 31 C:\Users\user\AppData\Local\Temp\name.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\file.exe, PE32 7->33 dropped 67 Benign windows process drops PE files 7->67 16 file.exe 3 7->16         started        19 name.exe 17 8 7->19         started        41 api.telegram.org 11->41 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->69 71 Tries to steal Mail credentials (via file / registry access) 11->71 73 Tries to harvest and steal ftp login credentials 11->73 81 2 other signatures 11->81 75 Antivirus detection for dropped file 14->75 77 Multi AV Scanner detection for dropped file 14->77 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->79 83 2 other signatures 14->83 file5 signatures6 process7 dnsIp8 43 Antivirus detection for dropped file 16->43 45 Machine Learning detection for dropped file 16->45 47 Writes to foreign memory regions 16->47 49 Injects a PE file into a foreign processes 16->49 23 RegSvcs.exe 14 6 16->23         started        27 RegSvcs.exe 16->27         started        35 api.telegram.org 149.154.167.220, 443, 49754, 49762 TELEGRAMRU United Kingdom 19->35 37 192.168.2.1 unknown unknown 19->37 29 C:\Users\user\AppData\Roaming\...\hmltog.exe, PE32 19->29 dropped 51 Multi AV Scanner detection for dropped file 19->51 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->55 57 4 other signatures 19->57 file9 signatures10 process11 dnsIp12 39 api.telegram.org 23->39 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->85 87 Tries to steal Mail credentials (via file / registry access) 23->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->89 91 Installs a global keyboard hook 23->91 93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->95 signatures13
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/30daa784a59aed004a6a7e03981997cbc1b6db66ddc58c6dbec06e2f0eb70d7a/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 14:43:06 UTC
File Type:
Text (VBS)
AV detection:
12 of 42 (28.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdnkpbfftlwqastkpybzqgmxzpa3nw3g3xcyy3n6ybxc6dvxbv5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ddb92cc0e9a6532ea09e16faa170fc14247677b8127b46a495c28f02ed922b0
AgentTesla
2486de846349fe6cfa2a9648cbeec4f535577267a32c7762d45f9fcc6b933e74
AgentTesla
56cea0a1ff889dc76f6f50d21bec9e36fd32f15db170f8e6c1629ccb37eb20b0
AgentTesla
5fd8a9938d323b529296fa6e85bd9b69c0c943a5e26c8f0349a3bd88a2231f42
AgentTesla
c93deb2dad2369c36dba7c829a5556a01301f968ec4209ed9c671c7ba9fba956
AgentTesla
f2833315c599f86d9a2f1d020ae68f39329c8b43401b8e03eecca32c5bf014ea
AgentTesla
f3ecdfbd4ca8190b6292c07ed9c8ed8b5981ee65a3c6ba46c1afb1c94a02d378
AgentTesla
+ 16'176 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220414-r3kedsgcd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30daa784a59aed004a6a7e03981997cbc1b6db66ddc58c6dbec06e2f0eb70d7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 30daa784a59aed004a6a7e03981997cbc1b6db66ddc58c6dbec06e2f0eb70d7a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263773/

Comments