MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a46c33cf8a11a1c4653c344b2559444343a740a7ea479bd2f2d1a51fc7cd9ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5a46c33cf8a11a1c4653c344b2559444343a740a7ea479bd2f2d1a51fc7cd9ae
SHA3-384 hash:	75d9a43c14297e19dc9967f91caca7e5bf1756ba77856e7c945983085f04e1d12d14dbdb3792d6e0b7d2d903d8bceae5
SHA1 hash:	84be20bcf2f8d7a02b0196dee3b04670cfb11cef
MD5 hash:	1685364f6a29adce613a378d6358914a
humanhash:	romeo-orange-jupiter-sad
File name:	factura orden de compra.PDF____________________.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	347'542 bytes
First seen:	2023-06-23 11:39:16 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	3072:3/dzaL5n5Z5XNsn1u7HLDVZ8MxzakjTIvsp6Z0:JnOAMxzak5
Threatray	3'796 similar samples on MalwareBazaar
TLSH	T12774010362EA5DC9B1F22A076A7B50B54BF7BE65293DC54C40CC1A0E0BE3A5C8D55BE3
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	abuse_ch
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

141

Origin country :

NL

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/402158/

Detection(s):

SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade

Link:

https://www.filescan.io/uploads/64958495ccad8a4d6086973e/reports/8f2b8636-4215-4b94-ac23-a6f4d76f1cf6/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5a46c33cf8a11a1c4653c344b2559444343a740a7ea479bd2f2d1a51fc7cd9ae

Result

Verdict:

SUSPICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1260416

Signature

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5a46c33cf8a11a1c4653c344b2559444343a740a7ea479bd2f2d1a51fc7cd9ae/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljdmgphyuenbyrstynclevmuiq2du5akp2shtpjpfunfd7d43gxa._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8

3c89cb1c6c74747eadb40f158ea38751bd1a61acdc789b86f0acd0a107b689e9

6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb

63ff2048431b0b07082efac82b0df98fc58b00af04df325ea8a50b81c0110a95

7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9

8514688f25e263c5e78673ecf3275a0eb4d49bb7d155924d1a889b4f3a7eec49

93bd0a081feb2e1576bbf84b672e120981ad2cf3f5017db7942959f9959f5066

cdb463c9aeff4b1d0090647e3baa27f32360301b0be912489f2b32e1f469650e

d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15

f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3

+ 3'786 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/230623-nsv7csee37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Blocklisted process makes network request

Malware Config

Dropper Extraction:

http://ftpserver.winconnection.net/e/e

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a46c33cf8a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5a46c33cf8a11a1c4653c344b2559444343a740a7ea479bd2f2d1a51fc7cd9ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/402158/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample