MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913
SHA3-384 hash: 490714bca570784ce92b4eac9116406d0f46cf6af1646e11e572004b011579e4401d4c9bc199b8b21377fe56c0d9f96a
SHA1 hash: 9dcb5e106ba769eb1429668d6199cc2e5da6e885
MD5 hash: 69a5931f0f204ffb8740769f8cd74bc4
humanhash: twenty-earth-crazy-yellow
File name:Ειδοποίηση πληρωμής_770 2077.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:87'302 bytes
First seen:2025-08-14 12:38:00 UTC
Last seen:2025-08-19 08:45:02 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:4ooAoAooAfooAoAooAUffffffffvrA5o/naoe/0AAh+XRffffffffffffffffm:5s2/nmAj
TLSH T19F832616FADF8109B0B3AE559E6372B75B6B7B39243CC54810CC16094FE3941D8A1BBB
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:AgentTesla geo GRC vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21357/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689dd917b0026751df5c605c
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/689dd8e5397fd3ce6fa93a8e/reports/125237a8-931d-4000-aca4-7f53ce552916/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756936
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powershell cmdlets to delay payload execution
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1756936 Sample: 770 2077.vbs Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 130 ktc2005.com 2->130 132 ip-api.com 2->132 134 andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br 2->134 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 14 other signatures 2->166 12 wscript.exe 1 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 signatures5 184 VBScript performs obfuscated calls to suspicious functions 12->184 186 Suspicious powershell command line found 12->186 188 Wscript starts Powershell (via cmd or directly) 12->188 190 3 other signatures 12->190 21 powershell.exe 7 12->21         started        24 powershell.exe 15->24         started        26 conhost.exe 15->26         started        28 powershell.exe 17->28         started        30 conhost.exe 17->30         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 19->38         started        process6 signatures7 172 Suspicious powershell command line found 21->172 174 Encrypted powershell cmdline option found 21->174 176 Self deletion via cmd or bat file 21->176 182 3 other signatures 21->182 40 powershell.exe 14 19 21->40         started        44 conhost.exe 21->44         started        178 Writes to foreign memory regions 24->178 180 Injects a PE file into a foreign processes 24->180 46 InstallUtil.exe 24->46         started        53 2 other processes 24->53 49 InstallUtil.exe 28->49         started        55 4 other processes 28->55 57 4 other processes 32->57 51 InstallUtil.exe 34->51         started        59 2 other processes 34->59 process8 dnsIp9 136 andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br 104.18.42.56, 443, 49687, 49689 CLOUDFLARENETUS United States 40->136 122 C:\Users\user\AppData\Local\...\pcjdr_01.ps1, Unicode 40->122 dropped 61 powershell.exe 25 40->61         started        202 Tries to steal Mail credentials (via file / registry access) 46->202 204 Tries to harvest and steal browser information (history, passwords, etc) 46->204 74 3 other processes 53->74 66 powershell.exe 55->66         started        68 powershell.exe 55->68         started        76 3 other processes 55->76 70 powershell.exe 57->70         started        78 3 other processes 57->78 72 powershell.exe 59->72         started        80 3 other processes 59->80 file10 signatures11 process12 dnsIp13 142 ktc2005.com 161.248.200.150, 443, 49690 BPL-ASNUS unknown 61->142 124 C:\Users\user\AppData\LocalLow\...\xwplj.ps1, ASCII 61->124 dropped 126 C:\Users\user\AppData\LocalLow\...\wvcds.ps1, Unicode 61->126 dropped 128 C:\Users\user\AppData\LocalLow\...\fnboc.ps1, ASCII 61->128 dropped 206 Self deletion via cmd or bat file 61->206 208 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->208 210 Uses powershell cmdlets to delay payload execution 61->210 212 Adds a directory exclusion to Windows Defender 61->212 82 powershell.exe 61->82         started        85 cmd.exe 61->85         started        87 cmd.exe 61->87         started        89 6 other processes 61->89 file14 signatures15 process16 signatures17 144 Writes to foreign memory regions 82->144 146 Injects a PE file into a foreign processes 82->146 91 InstallUtil.exe 82->91         started        95 powershell.exe 82->95         started        148 Suspicious powershell command line found 85->148 150 Wscript starts Powershell (via cmd or directly) 85->150 152 Uses powershell cmdlets to delay payload execution 85->152 97 powershell.exe 85->97         started        99 powershell.exe 87->99         started        154 Uses ping.exe to sleep 89->154 156 Uses ping.exe to check the status of other devices and networks 89->156 158 Loading BitLocker PowerShell Module 89->158 101 PING.EXE 1 89->101         started        103 PING.EXE 1 89->103         started        105 PING.EXE 1 89->105         started        107 WmiPrvSE.exe 89->107         started        process18 dnsIp19 138 ip-api.com 208.95.112.1, 49693, 49697, 49700 TUT-ASUS United States 91->138 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 91->192 194 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 91->194 196 Tries to steal Mail credentials (via file / registry access) 91->196 198 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 91->198 109 powershell.exe 95->109         started        111 powershell.exe 95->111         started        113 powershell.exe 95->113         started        120 2 other processes 95->120 200 Suspicious powershell command line found 97->200 115 powershell.exe 97->115         started        118 powershell.exe 99->118         started        140 127.0.0.1 unknown unknown 101->140 signatures20 process21 signatures22 168 Creates autostart registry keys with suspicious values (likely registry only malware) 115->168 170 Creates multiple autostart registry keys 115->170
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/69a5931f0f204ffb8740769f8cd74bc4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 12:58:05 UTC
File Type:
Text (VBS)
AV detection:
5 of 23 (21.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icnr6zcga5xw2cykynkynfko7w4ypbm6gse7uty7jcmvdrc45ejq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250814-pvgmestlz4/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Hide Artifacts: Ignore Process Interrupts
Indicator Removal: File Deletion
Network Share Discovery
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/409b1f6446076f6d0b0ac35586954efdb987859e3489fa4f1f489951c45ce913

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21357/

Comments