MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c
SHA3-384 hash: 9840e0e9ab09aeb77ef78f5d03481b9a68720f481138cd904769747ce217f0353a8cffef87f12beeaa65639e0854a0d3
SHA1 hash: 6c1520e9b3f2e62fbd58aba44d07451a373e4c7d
MD5 hash: dc6b8c75c66486d54dd1491d7c90667f
humanhash: romeo-twelve-sixteen-tango
File name:pago_041759_01072023.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:319'418 bytes
First seen:2023-07-04 05:42:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:xIg2ZccrQvglBpiJU+ogsUJW4Wrle/PhG+/kery+bG0IKOv5tH5DULV0H7Svuviw:DglBp9+og0S7sKOvTZvHWV8
Threatray 4'417 similar samples on MalwareBazaar
TLSH T1AF6468412EEF400861B7AACF4BF560A54F7BB9795839C5A8058F550A0BEFDC0B921F72
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter lowmal3
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406255/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-IK.8639.68.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin pubprn
Link:
https://www.filescan.io/uploads/64a3b16826dab9d9c8509079/reports/4f3e46c3-7234-4170-86ab-eea5b177d817/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.BBN
Link:
https://www.hybrid-analysis.com/sample/47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266352
Signature
Connects to a pastebin service (likely for C&C)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266352 Sample: pago_041759_01072023.vbs Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 3 other signatures 2->34 7 wscript.exe 1 2->7         started        process3 signatures4 36 VBScript performs obfuscated calls to suspicious functions 7->36 38 Suspicious powershell command line found 7->38 40 Wscript starts Powershell (via cmd or directly) 7->40 42 Very long command line found 7->42 10 powershell.exe 14 7 7->10         started        process5 dnsIp6 20 paste.ee 188.114.97.7, 443, 49700 CLOUDFLARENETUS European Union 10->20 44 Writes to foreign memory regions 10->44 46 Found suspicious powershell code related to unpacking or dynamic code loading 10->46 48 Injects a PE file into a foreign processes 10->48 14 jsc.exe 15 2 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 22 mail.embon.com.ar 69.61.45.71, 49702, 587 GLOBALCOMPASSUS United States 14->22 24 api4.ipify.org 104.237.62.211, 443, 49701 WEBNXUS United States 14->24 26 api.ipify.org 14->26 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->52 54 May check the online IP address of the machine 14->54 56 2 other signatures 14->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c/
Threat name:
Script-WScript.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-04 05:43:06 UTC
File Type:
Text (VBS)
AV detection:
4 of 37 (10.81%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i53eup6uzg2valapsj4zft6uupd6c23qekfwcpai5rqhgphi6yga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0643798473696f97c20a9ee0f8937f7aef794366590fb0af315593b718709b69
AgentTesla
1a440b94a68e98bea79401ae8aed0c35b86f9f713803f45431ff587edcf5bac8
AgentTesla
516b951cc8f8510145ee20df40652adf83b989c909773a2b0ad0c6123f388854
AgentTesla
590a2ffe3a7d94ea6f13f48c39affc97790afcad1d1f750144e6319ace0c42a9
AgentTesla
84c7973871a6a639c40534f9e3fd7135bd35cd1b0eee937cc849af90c903c4c2
AgentTesla
84ebd97fd1765dc6341db835a8dc4cff8edefd8f263f87e7b1c89b9d60167447
AgentTesla
988de5533ea7c98cdc0974eeb98cc650bdc4f991df9c8f0f85c5a7d4e7611b45
AgentTesla
9c4bed3e367c58faa476e1f02c6f3270daba50527eee5a20d4f25a4610cd56e2
AgentTesla
ea9c43836863f74a0ea38ed27e6a24e3e4fbc5846b49b502af5505348d683eb5
AgentTesla
+ 4'407 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230704-gekp5sbb96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47764a3fd4c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 47764a3fd4c9b5502c0f927992cfd4a3c7e16b70228b613c08ec60733ce8f60c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/406255/

Comments