MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58610df8d26214f674176416f6efdd6555e323c95b5eee98c88971d725fb92a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	58610df8d26214f674176416f6efdd6555e323c95b5eee98c88971d725fb92a8
SHA3-384 hash:	eb27ccd8faf95dac4660a67cb9974e8755854b9f4353efff7ea614d6a0a95bd3c8c62d30b325f3c1a9869f6b0ce8965a
SHA1 hash:	9d0393eccff318c99f4b2fe3abb9b49b02ceb6b7
MD5 hash:	2d54cae8b2afdc2354e46e543e0e950d
humanhash:	north-pizza-dakota-alaska
File name:	Payloadpiaiaia.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'489'302 bytes
First seen:	2023-04-25 13:09:16 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	768:6Yb3TXRT+t4W3gEbMXtuzaTMYHSNmhm4/O2ILuArgbfTME66666w66666j66666f:55TtG/OTM1NmQ4RILlPVe
Threatray	2'320 similar samples on MalwareBazaar
TLSH	T126656F53B959ECE0E2F33B03868FF4F827F766C5451E8C4A14EC401966C998D98A5AF3
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	malwarelabnet
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/384800/

Detection(s):

SecuriteInfo.com.VBS.Heur.ObfDldr.1.0CBF4783.Gen.16056.9769.UNOFFICIAL

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6447d12b2644a56ac26861a1/reports/e2326eb1-afcf-4a18-8e01-cbae62fc22e8/overview

Verdict:

Malicious

Labled as:

VBS.ObfDldr.1.0CBF4783

Link:

https://www.hybrid-analysis.com/sample/58610df8d26214f674176416f6efdd6555e323c95b5eee98c88971d725fb92a8

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1220715

Signature

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

VBScript performs obfuscated calls to suspicious functions

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58610df8d26214f674176416f6efdd6555e323c95b5eee98c88971d725fb92a8/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2023-04-25 13:10:06 UTC

File Type:

Text (VBS)

AV detection:

6 of 23 (26.09%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbqq36gsmikpm5axmqlpn365mvk6gi6jlnpo5ggirfy5ojp3skua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855

AgentTesla

5f6a89cfb0699f80b756e5b874fab9c80629791dad9e43cc5372e14122fa0b36

AgentTesla

5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05

AgentTesla

6b27a1755061190001d668a0280b25a59feb2d18fed4352f4e0c56a8af9512bd

AgentTesla

b56529131600b58462657106380f4ec863397c8a51f52dba1ea33ec0cfccefdc

AgentTesla

cd9751050398ddb160626944bdea396fcd592ac06a3657183f14ac1e8d9e66c5

AgentTesla

+ 2'310 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230425-qectzaae57/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Blocklisted process makes network request

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58610df8d262/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58610df8d26214f674176416f6efdd6555e323c95b5eee98c88971d725fb92a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/384800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample