MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065
SHA3-384 hash: 5b8b0e07d239975a5199e37e15c9365c8de8b5344423041cf5fc290a81d0c3a7e1a4eac8de1dc969bf81326ec05e1ecd
SHA1 hash: 9d38736d9b230040e2f0c78531bb6768291bae5a
MD5 hash: 8be364f89bc3f098890bf2c1a576d7a6
humanhash: illinois-magazine-oscar-washington
File name:Wshp.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:397'030 bytes
First seen:2023-10-04 06:34:30 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:5gJfgUZVZwKr5Tw2cGEdiGEdl9QtTmQ9AQ9OEmblQNUbGV5Z2qeQkYZQKcztQOp:5Kh7ZwKr5Tw2cGEdiGEd6UbGV8
Threatray 113 similar samples on MalwareBazaar
TLSH T13E84BE1066FFA45DB2737F521FED7AE58F5FFBA2672A509D240003068B66E40CD92632
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter lowmal3
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Malware-gen.3479.18653.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
sload
Link:
https://www.filescan.io/uploads/651d0798a31588d184f05146/reports/70272012-fc93-479c-b8d0-78038adf0e3c/overview
Verdict:
Malicious
Labled as:
Generik.HPHXJZZ trojan
Link:
https://www.hybrid-analysis.com/sample/5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319215
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell download and load assembly
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1319215 Sample: Wshp.vbs Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 9 other signatures 2->60 8 wscript.exe 1 2->8         started        11 powershell.exe 3 15 2->11         started        process3 signatures4 62 VBScript performs obfuscated calls to suspicious functions 8->62 64 Suspicious powershell command line found 8->64 66 Wscript starts Powershell (via cmd or directly) 8->66 68 3 other signatures 8->68 13 powershell.exe 7 8->13         started        16 powershell.exe 12 8->16         started        18 powershell.exe 15 11->18         started        20 wscript.exe 11->20         started        22 conhost.exe 1 11->22         started        process5 signatures6 74 Suspicious powershell command line found 13->74 76 Found suspicious powershell code related to unpacking or dynamic code loading 13->76 24 powershell.exe 14 17 13->24         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        process7 dnsIp8 42 uploaddeimagens.com.br 104.21.45.138, 443, 49807 CLOUDFLARENETUS United States 24->42 44 172.86.76.208, 49808, 80 M247GB United States 24->44 70 Writes to foreign memory regions 24->70 72 Injects a PE file into a foreign processes 24->72 32 RegAsm.exe 15 2 24->32         started        signatures9 process10 dnsIp11 36 api4.ipify.org 173.231.16.77, 443, 49809 WEBNXUS United States 32->36 38 api.telegram.org 149.154.167.220, 443, 49810 TELEGRAMRU United Kingdom 32->38 40 api.ipify.org 32->40 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->48 50 May check the online IP address of the machine 32->50 52 2 other signatures 32->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065/
Threat name:
Script-WScript.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 05:33:49 UTC
File Type:
Text (VBS)
AV detection:
2 of 38 (5.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzdla3jr47qjcyx3ywncvigj7ijywjergwieeytptxtftwnqwbsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
AgentTesla
4b3fd775a80b08650b33e1df27b2dcad6d48740918776c7ff1a8d648927bb226
AgentTesla
509ab6d6f1089879e023ce06a093219765d41c19e2f6252f5ae7bd276483733d
AgentTesla
8be2a3d913c8851bffa0a682c9fb393d614a108e142344987ff9c8712d48c8c3
AgentTesla
9cab35781360174ec179b142782b298fb5b7b3cf60dda169e5991fb6a86bd3a4
AgentTesla
b73234fec5a6cbf5e739a75ce9aa9674f11dd409a81c740f009e1bf18c767c94
AgentTesla
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
AgentTesla
cffee94b2fed3ea5bf85eb7bab308ac9488d1ed882c02787ee318760b1a90350
AgentTesla
fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181
AgentTesla
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/231004-hccgeshe8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e46b06d31e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5e46b06d31e7e09162fbc59a2aa0c9fa138b2491359042626f9de659d9b0b065

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2716292/

Comments