MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855
SHA3-384 hash:	ff8698950ce2621e10368343842a2a0f0cfb3a08ee0dc20146f55d870698950b363439b533ca1023ab287b49897bf52f
SHA1 hash:	77739b98a00b1633c4a1bb7f1c0269ec8ea3b4a5
MD5 hash:	b91ec12696eb757f52a18f1db57af858
humanhash:	kentucky-october-beryllium-quiet
File name:	Payloadpiaia.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	418'596 bytes
First seen:	2023-04-14 16:17:55 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	3072:wF3WhQK3yWWWWWXWWWWWJWWWWWJWWWWWJWWWWWalWWWW8:P
Threatray	2'056 similar samples on MalwareBazaar
TLSH	T192947C02891E94C4B3F36B03539F71F99FBBA6A5527D95091881520CE4CEE448EB6BF3
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	malwarelabnet
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

156

Origin country :

CA

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382306/

Detection(s):

SecuriteInfo.com.VBS.Heur.ObfDldr.1.9421883C.Gen.15962.5329.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/64397cbd0530985b5cccf331/reports/fa7510d2-2d40-42bc-923a-250988ea943e/overview

Verdict:

Malicious

Labled as:

VBS.ObfDldr.1.9421883C

Link:

https://www.hybrid-analysis.com/sample/5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1214043

Signature

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

VBScript performs obfuscated calls to suspicious functions

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855/

Threat name:

Script-WScript.Downloader.Heuristic

Status:

Malicious

First seen:

2023-04-14 14:46:05 UTC

File Type:

Text (VBS)

AV detection:

3 of 35 (8.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lygoqqba4szpy4tlwxxv2t7odyiwmbi5nusorw5ymj3g72sttbkq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

064cc8f4cf0bd367530bfc8a6d541e40a3120845252fe8c82a53f45d6a40e270

2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2

2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e

353484a9cc5a80b4023c9035064e3a66de09eaf11bddd84285a3f7bc59a598a2

493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161

5453c16d0530e3bf32f870269a92db07188195005273c769b05752f4bb7c18e1

546296386f790b239e38e70b371954f4ca87d4715bc3147497f82c466d721ce2

57d148e97edd36a56b6cb5fdfae00c5224b198f9660426e68f4a0555844d803b

6bd12f0da603fe1aa752df374d02ff65cdd6bae1ada549357ac8736ba942c395

f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d

+ 2'046 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230414-trx78aae93/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Blocklisted process makes network request

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5e0ce84020e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e0ce84020e4b2fc726bb5ef5d4fee1e1166051d6d24e8dbb862766fea539855

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/382306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample