MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ff22d53dcd6fdfdd65267fde69b10122c3c680d23334f2f9c6047768d823cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ff22d53dcd6fdfdd65267fde69b10122c3c680d23334f2f9c6047768d823cfe
SHA3-384 hash: 5a1fb1b18a6d752bb397f71815c4c37b7211b136be0c60f0f0fee437d9044bbda140e825a63f26b7ef5f2049d4cead17
SHA1 hash: a7d4130248aa7e13cc0e51158f49ac3d71c44f30
MD5 hash: a5624bbc9d832c64c741a830c331f2ab
humanhash: river-idaho-angel-ack
File name:PURCHASE ORDER.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:609'479 bytes
First seen:2021-08-23 15:00:56 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:bYQe01sb9E9ctLEHGpZpbu4bnE2SABsiahWPjOd2DQyGpe1E+Km7bAP+e51:pp1sb9E9ctLEHGpZpyUE2ciahWBElJ9f
Threatray 8'788 similar samples on MalwareBazaar
TLSH T132D4BF72C91D74D6437F196A42213B12CCBCE25F893FF2197EC905A5B6366E8CF29290
Reporter abuse_ch
Tags:AgentTesla vbs


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.gnvmetalica.pe:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181536/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837636
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Benign windows process drops PE files
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470063 Sample: PURCHASE ORDER.vbs Startdate: 23/08/2021 Architecture: WINDOWS Score: 100 35 mail.gnvmetalica.pe 2->35 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Yara detected AgentTesla 2->59 61 Yara detected AntiVM3 2->61 63 4 other signatures 2->63 8 wscript.exe 2 2->8         started        12 jNnIJrO.exe 2 2->12         started        14 jNnIJrO.exe 3 2->14         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\anyname.exe, PE32 8->29 dropped 65 Benign windows process drops PE files 8->65 67 VBScript performs obfuscated calls to suspicious functions 8->67 16 anyname.exe 3 8->16         started        69 Injects a PE file into a foreign processes 12->69 19 jNnIJrO.exe 6 12->19         started        71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->71 73 Machine Learning detection for dropped file 14->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->75 22 jNnIJrO.exe 2 14->22         started        signatures6 process7 dnsIp8 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->41 43 Machine Learning detection for dropped file 16->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->45 47 Injects a PE file into a foreign processes 16->47 24 anyname.exe 2 8 16->24         started        37 mail.gnvmetalica.pe 19->37 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->49 51 Tries to steal Mail credentials (via file access) 19->51 53 Tries to harvest and steal ftp login credentials 19->53 55 2 other signatures 19->55 signatures9 process10 dnsIp11 39 mail.gnvmetalica.pe 162.241.148.206, 49725, 49726, 49737 UNIFIEDLAYER-AS-1US United States 24->39 31 C:\Users\user\AppData\Roaming\...\jNnIJrO.exe, PE32 24->31 dropped 33 C:\Users\user\AppData\...\tmpG38.tmp (copy), PE32 24->33 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->77 79 Tries to steal Mail credentials (via file access) 24->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->81 83 Installs a global keyboard hook 24->83 file12 signatures13
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ff22d53dcd6fdfdd65267fde69b10122c3c680d23334f2f9c6047768d823cfe/
Threat name:
Script-WScript.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 15:01:10 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7zc2u6423673vssm766ngyqciwdy2anemzu6l44mbdxndmcht7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
09f7b6653733496bf7009e3def383c57c774978147edaa5c84e5eae493e8d242
AgentTesla
33990c7027bd2b71b3097729edcadbe6d06a4b8746dabe85e251793f64022b1e
AgentTesla
d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63
AgentTesla
d4b4aa48fb15887d92750e5bcec1a9f2535860f0b6fffba8008a332c72a27b84
AgentTesla
eb62cecf43b2e2b3b9ed73bf2354f4387f8b9bb83dea24956be5602da1163869
AgentTesla
f620c94acf7ee91164eb9c8e6c75602f18a8c2f2bf846c7ebb1e838fedf6867c
AgentTesla
+ 8'778 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210823-gfj1hmwt26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ff22d53dcd6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ff22d53dcd6fdfdd65267fde69b10122c3c680d23334f2f9c6047768d823cfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 3ff22d53dcd6fdfdd65267fde69b10122c3c680d23334f2f9c6047768d823cfe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181536/

Comments