MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a810a8cd3302b9c24b5513437ed61021e14cbed25f83f39800dd11763dd38fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a810a8cd3302b9c24b5513437ed61021e14cbed25f83f39800dd11763dd38fc
SHA3-384 hash: 4c832b962f9056838e91172ac98b4a4504461bcb797235efac4e3583c40749dfd839212d64f654e285aba72ff799d0b1
SHA1 hash: 6316758e05ec0a164b7a6926dc213474f69eb578
MD5 hash: 07eeb50bbb476821891734db9ed81f81
humanhash: bluebird-fourteen-winter-delaware
File name:ORDEN DE COMPRA 80107.pdf.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:431'068 bytes
First seen:2023-01-11 13:40:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:yitPxNNEhkN5AbHq4s+t99sMJTToKBDxtfi1q4:yImbfuP
Threatray 20'500 similar samples on MalwareBazaar
TLSH T1E994A50530F2409C98E267DB4EC3F5A8C777F2F141BE2EA6A4CC051B6BDE8419A167E5
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter 0xToxin
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
IL IL
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351947/
Detection(s):
Can't access file ERROR
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63bebc6ea66e2eb297385158/reports/e939ba65-279f-4865-9bb7-69f06b4a2dc8/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149590
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a810a8cd3302b9c24b5513437ed61021e14cbed25f83f39800dd11763dd38fc/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 13:41:05 UTC
File Type:
Text (VBS)
AV detection:
2 of 41 (4.88%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkaqvdgtgavzyjfvke2dp3lbaipbjs7nex4d6omabxiroy65hd6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4
AgentTesla
6faebec8aa383683e58352a37735ddad2d4137e757080a0d4f781f411e0ed6b3
AgentTesla
71640a3e775e5585e125364f33908a2c182f3e8682c9937ab1e3659bc9a04bd6
AgentTesla
86874045d7c7065215ec5b09a6e7e37429b16691711086bc2a0452bb01851437
AgentTesla
88273e3c8b21831b5e66320d0abadc521ab5e435b3ee82f2d537bcee048b6572
AgentTesla
8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507
AgentTesla
a896460d87b28a154dc6d789298bc39545cf0569f2f32a3d5e92fd52d1777f23
AgentTesla
b5c28d591dee22fc0e4c729d2d6fa990e1c0c09acf9dfcc2ad20db3e0fb2e6df
AgentTesla
c0a0b110892a3d8beef47a6e63b255c731265165b15c0f7b8452404ab1080fcc
AgentTesla
+ 20'490 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230111-qy3vhadb69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla payload
AgentTesla
Malware Config
Dropper Extraction:
http://172.174.176.153/dll/NoStartUp.ppam
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a810a8cd330/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a810a8cd3302b9c24b5513437ed61021e14cbed25f83f39800dd11763dd38fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351947/

Comments