MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff
SHA3-384 hash: 95b252abf63fa30d9c4162687e65bcfc28fa09cca742a571b5438ded9731f76b35b391aed149f8ecc8f8368577523ab4
SHA1 hash: a9139528c8c4bb2cf34a55f5efb8c27b94d5c551
MD5 hash: 6406eb8aff96c351f832d7550ed4e1f0
humanhash: johnny-tango-hawaii-pasta
File name:Pago rapido.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:239'506 bytes
First seen:2023-04-09 07:07:57 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:29p2g28oFagG+U9ryz+VczaVsdyUv/EM6BS3wwrLicVQvmzcQC+aXGxbMN75ro6h:29kmcl6BSN1cQC+aXGxbMN75ro6BkZg
Threatray 1'921 similar samples on MalwareBazaar
TLSH T1C2346F07A05E4DD9E3E65A47034FB2797BFBA658413C1CD925C68B2722C9C18CA227F7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381039/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8111.6887.787.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64326458bf68c1790afb1cc8/reports/2fd7b0b8-a33a-4683-91d8-6bc9228da0c8/overview
Verdict:
Malicious
Labled as:
VBS.ObfDldr.1.D7AE0ED3
Link:
https://www.hybrid-analysis.com/sample/395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1210817
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843733 Sample: Pago_rapido.vbs Startdate: 09/04/2023 Architecture: WINDOWS Score: 88 24 Multi AV Scanner detection for domain / URL 2->24 26 Antivirus detection for URL or domain 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Generic Downloader 2->30 8 wscript.exe 1 2->8         started        process3 signatures4 32 VBScript performs obfuscated calls to suspicious functions 8->32 34 Suspicious powershell command line found 8->34 36 Wscript starts Powershell (via cmd or directly) 8->36 38 Very long command line found 8->38 11 powershell.exe 14 8 8->11         started        process5 dnsIp6 22 yorkrefrigerent.md 195.178.106.125, 443, 49695 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 11->22 14 powershell.exe 12 11->14         started        16 conhost.exe 11->16         started        process7 process8 18 conhost.exe 14->18         started        20 attrib.exe 1 14->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-04-08 16:32:04 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfo5xoqggajeul4xu7z2wwilzqe2atf4s3rz72dw6yaiil6svp7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10378a656282ac8e5d676229bc2151b553e50906495bf0bfe6ec4c93373dc2a8
AgentTesla
31adc1dd28145976ae25be96dcdd778bb9e2f7abc8c437e99edd9f2d3e4b872c
AgentTesla
353484a9cc5a80b4023c9035064e3a66de09eaf11bddd84285a3f7bc59a598a2
AgentTesla
58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f
AgentTesla
7d382b07319f3666cb6072d419a7174fbb0b05727c455333e8ab7bd8ea38b65a
AgentTesla
92abb68f4a0cf0e2c39583ec2b5fca1ce6f4ce751e7630c50bb198a5130a476d
AgentTesla
ce2d784aba970c2879caa1a84d204a38e9eedc76f47f8e2e114a472c45ee3bd8
AgentTesla
cff3629965c874b1867aec089f5d23eb0d37f8f011c72fd775c3711faf47515e
AgentTesla
d4e0c08a18355d7d49a54faa881b8864b9ede460e8c61fd91591dff2fd11f1e5
AgentTesla
+ 1'911 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230409-hx8elahg68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Blocklisted process makes network request
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/395ddbba0630/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 395ddbba0630124a2f97a7f3ab590bcc09a04cbc96e39fe876f600842fd2abff

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381039/

Comments