MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7
SHA3-384 hash:	c710d793513e25010efe8c12c2da116f38fe6e8b3c08153cb041a260ee8a47d3707921cbba69849ad96f7c03219e4f82
SHA1 hash:	70d7acee0f13bfaf47bce1b5d74fc33a55542e02
MD5 hash:	91f00ef0047b76ae3062d1e2e914817a
humanhash:	xray-mexico-enemy-arkansas
File name:	Prueba de pago.pdf.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	577'102 bytes
First seen:	2023-07-21 06:25:09 UTC
Last seen:	2023-07-21 13:10:48 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	3072:35XNsn1+7HLDVZmMxzak9TyvspwL/TyNyctxFZUh/J/TYYbdHznXmxLJIrCsS4Cc:4n+aMxzakk2NyctxFZUh/J/Th
Threatray	5'070 similar samples on MalwareBazaar
TLSH	T158C4F6502EDF5008B2A3AA8B57F878E54F7BB9365638C49D644E060D0BEBDD0B854F72
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	abuse_ch
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/427318/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.8352.4714.3934.UNOFFICIAL

Gathering data

Verdict:

Malicious

Labled as:

Valyria

Link:

https://www.hybrid-analysis.com/sample/3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277314

Signature

Antivirus detection for URL or domain

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

VBScript performs obfuscated calls to suspicious functions

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7/

Threat name:

Script-WScript.Trojan.Minerva

Status:

Malicious

First seen:

2023-07-21 05:48:56 UTC

File Type:

Text (VBS)

AV detection:

13 of 25 (52.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hngsde53jkdeqv6hv2grd66samyaagwpcohydr3u3r6odyzwh3lq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2fcdf9b821c53b19c9fb4004084559c53c699db27a3359a0d811e5f6189dc260

AgentTesla

53224dc914e12b6a02b83e05380d13298bc3720f93eea15ee6205dc51aa2a948

AgentTesla

5590cb2801075c18a490b2d65789e7d668dd7d81313bf685487105e72329cc71

AgentTesla

685c0426486e575b97363649b440198dda823627b0067ab5e07a39aa830863f7

AgentTesla

6ec18d3df48468e9f95e818dca6b93f9b04f9786646670f6bdc721ab182860e3

AgentTesla

b3d5a8673c8f0c5b36f92ad6102af3259457c4f0a72f45e11c1841ae26e37845

AgentTesla

ba7f9aa187f2834a0e730911db8e70b035a93c5bfd1d98306a1b8841ee63d9a8

AgentTesla

e42328227b486a20674f9f12575df0a2bc3cab93a0030aa91c217c97ef56063c

AgentTesla

+ 5'060 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230721-g68ahsda5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Blocklisted process makes network request

AgentTesla

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b4d2193bb4a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

vbs 3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/427318/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample