MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b
SHA3-384 hash: 06d536177f71a7ad1a4ffb068624e15806290e235a3ba2c2d76a0eb9d49330ab843f64cb6c63c4fec5241913186186d1
SHA1 hash: a45c6c72b9663a0edb3362826d7dc319c4315153
MD5 hash: fe294122e89f9063f5c3a94d8805927f
humanhash: sink-bravo-freddie-equal
File name:Payment Copy 7044896741.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:141'780 bytes
First seen:2024-06-11 19:01:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:0id99CObS+SfcP2VaJK6uQyhhWW0/5Jh1svcdLg0BAbUZlu9gISsRT:0idrxJK6H/wcJg0BAcE
TLSH T143D37C1263EA0108B5F32A5D5E7291784B27BF969979C23C05BC284E1FF39449DE1BB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.19751.17982.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Script.SNH-gen.1900.20220.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668a0a2a439c6d6b087817dwin7simulatehigh_evasion
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cscript lolbin masquerade
Link:
https://www.filescan.io/uploads/66689f300bf5978c0b0e65dc/reports/b443a2c9-4820-4cec-8915-671318ce91da/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455478
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455478 Sample: Payment Copy 7044896741.vbs Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 34 paste.ee 2->34 36 uploaddeimagens.com.br 2->36 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 52 11 other signatures 2->52 10 wscript.exe 14 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        signatures3 50 Connects to a pastebin service (likely for C&C) 34->50 process4 dnsIp5 38 uploaddeimagens.com.br 188.114.97.3, 443, 49712, 49713 CLOUDFLARENETUS European Union 10->38 56 System process connects to network (likely due to code injection or exploit) 10->56 58 VBScript performs obfuscated calls to suspicious functions 10->58 60 Suspicious powershell command line found 10->60 62 5 other signatures 10->62 18 powershell.exe 7 10->18         started        signatures6 process7 signatures8 40 Suspicious powershell command line found 18->40 42 Found suspicious powershell code related to unpacking or dynamic code loading 18->42 21 powershell.exe 15 16 18->21         started        24 conhost.exe 18->24         started        process9 signatures10 54 Creates autostart registry keys with suspicious values (likely registry only malware) 21->54 26 cmd.exe 2 21->26         started        process11 file12 32 C:\ProgramData\mxwinconf.vbs, ASCII 26->32 dropped 64 Command shell drops VBS files 26->64 30 conhost.exe 26->30         started        signatures13 process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-06-10 20:14:48 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4bge2a65zlcm67pyfnkhtv5yuhbbffeolgw5mdlyyv3f76zlefq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240611-xprt7sxfkd/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4f0262681eee56267befc15aa3cebdc50e1094a472cd6eb06bc62bb2ffd9590b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments