MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f
SHA3-384 hash: 2f043778b9d6753a22ec033c713299cc3743d6a56b2e01aeebb58ba4d7fd4b1095700cbdef10f8107be053a5ae02d96f
SHA1 hash: eb9e792882569c715de2831979875e815eb759cc
MD5 hash: 4252e621deafcc0ffde3d867c4f5d95b
humanhash: fruit-california-carolina-ohio
File name:Enquiry-60096843551009.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:534'416 bytes
First seen:2023-04-06 10:33:00 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:uvYgyZsfZuuF8iQg67nDbbbbbkbbbbbebbbbbebbbbbebbbbbD2bbbbbo:Tg2f
Threatray 1'891 similar samples on MalwareBazaar
TLSH T105B4A727E085E9C862F37F07479E35EDBBABF7B0112F995964844B5E12C58849E803F2
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380613/
Detection(s):
SecuriteInfo.com.VBS.Heur.ObfDldr.1.952B9798.Gen.25914.3789.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/642e9fe52254dc8912046aa3/reports/d2e3457f-5510-47d4-bd5d-b9bf7a8b6dbc/overview
Verdict:
Malicious
Labled as:
VBS.ObfDldr.1.952B9798
Link:
https://www.hybrid-analysis.com/sample/58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209580
Signature
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842493 Sample: Enquiry-60096843551009.vbs Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 8 wscript.exe 1 2->8         started        11 powershell.exe 3 15 2->11         started        process3 signatures4 47 VBScript performs obfuscated calls to suspicious functions 8->47 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 53 Very long command line found 8->53 13 powershell.exe 14 9 8->13         started        17 powershell.exe 15 11->17         started        19 wscript.exe 11->19         started        21 conhost.exe 1 11->21         started        process5 dnsIp6 37 yorkrefrigerent.md 195.178.106.125, 443, 49696 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 13->37 63 Suspicious powershell command line found 13->63 65 Writes to foreign memory regions 13->65 67 Injects a PE file into a foreign processes 13->67 23 RegSvcs.exe 2 13->23         started        27 powershell.exe 12 13->27         started        29 conhost.exe 13->29         started        signatures7 process8 dnsIp9 33 hermosanairobi.com 192.81.170.3, 26, 49697 AS-UPTIMECA Canada 23->33 35 mail.hermosanairobi.com 23->35 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->57 59 Tries to steal Mail credentials (via file / registry access) 23->59 61 2 other signatures 23->61 31 conhost.exe 27->31         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f/
Threat name:
Script-WScript.Downloader.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 09:12:32 UTC
File Type:
Text (VBS)
AV detection:
5 of 36 (13.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldif5nflhvh6ukdbd7ajvshxfuarxsggjwb2gwhbqelpz3wfrshq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10378a656282ac8e5d676229bc2151b553e50906495bf0bfe6ec4c93373dc2a8
AgentTesla
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
AgentTesla
23c49d3c46ddb3a5a8eabb6759c3baff956f98efa3c27ac263353125b2856294
AgentTesla
353484a9cc5a80b4023c9035064e3a66de09eaf11bddd84285a3f7bc59a598a2
AgentTesla
7d382b07319f3666cb6072d419a7174fbb0b05727c455333e8ab7bd8ea38b65a
AgentTesla
a1895fde4d01b87eabbc7ea07f2eecf1ae17e88dafb5636c9dd74003622db8e2
AgentTesla
c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c
AgentTesla
cff3629965c874b1867aec089f5d23eb0d37f8f011c72fd775c3711faf47515e
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 1'881 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230406-mljpbaee6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Blocklisted process makes network request
AgentTesla
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58d05eb4ab3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs 58d05eb4ab3d4fea28611fc09ac8f72d011bc8c64d83a358e18116fceec58c8f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380613/

Comments