MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7
SHA3-384 hash: 193907110290bd3b527a9f733554d658484b9a6a30c72cbfd5abb02be81155535cf099b5fc9610e9ca649d0226dcfdd2
SHA1 hash: 5d40a4ecf0f5090a939d010e2003a774fb52247a
MD5 hash: a9caf8b0091fce3cb13f9dec654fc064
humanhash: river-comet-missouri-ink
File name:System_root.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:224'014 bytes
First seen:2023-07-21 10:52:40 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:v63psy2OUQYTSCMxzakCdSf+bP+GInC+DtJLpavs+rm8qv7i9fn1Lm675rt8TOkh:vy2OUQkMxzakj+hvspi9dLm6758eBQh
Threatray 3'956 similar samples on MalwareBazaar
TLSH T1E524D042A7FA1108B2F36B58AD7A45784F37BD96A939C55D418C290E0FF3E408D61BB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter pr0xylife
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427377/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-IQ.5150.19362.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint stealer
Link:
https://www.filescan.io/uploads/64ba638f2c2ccb7094408680/reports/b343b9e7-7048-432f-be7a-d37e8ce6b5e3/overview
Verdict:
Suspicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277363
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277363 Sample: System_root.vbs Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic 2->29 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 5 other signatures 2->35 8 wscript.exe 1 2->8         started        process3 signatures4 43 VBScript performs obfuscated calls to suspicious functions 8->43 45 Suspicious powershell command line found 8->45 47 Wscript starts Powershell (via cmd or directly) 8->47 49 Very long command line found 8->49 11 powershell.exe 7 8->11         started        process5 signatures6 51 Suspicious powershell command line found 11->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 11->53 14 powershell.exe 14 16 11->14         started        18 conhost.exe 11->18         started        process7 dnsIp8 25 45.88.66.43, 49713, 80 LVLT-10753US Bulgaria 14->25 27 195.178.120.24, 49714, 80 HEXAGLOBE-ASFR unknown 14->27 55 Writes to foreign memory regions 14->55 57 Injects a PE file into a foreign processes 14->57 20 RegAsm.exe 2 14->20         started        23 RegAsm.exe 14->23         started        signatures9 process10 signatures11 37 Tries to steal Mail credentials (via file / registry access) 20->37 39 Tries to harvest and steal browser information (history, passwords, etc) 20->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 10:53:06 UTC
File Type:
Text (VBS)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbdajxbgl5mgnt624kphvvg4gbfbrir75lz4nhxdcvcgdvrnxl3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ace5259a5f3de5bfd71221aac959b8054bc31018aac425aa440aa4fe451ebb8
AgentTesla
0b30ef2d36a2b3017821cbd3e6ae4d141be417c0fc72d8289deb79dfedbea4b9
AgentTesla
27c66e4fca745ecd962769fd00218d7a645f338a6e20b25cce8b88d784a89a0a
AgentTesla
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
AgentTesla
6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb
AgentTesla
cdb463c9aeff4b1d0090647e3baa27f32360301b0be912489f2b32e1f469650e
AgentTesla
defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3
AgentTesla
e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c
AgentTesla
+ 3'946 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-myyzrseg91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://45.88.66.43/rumpe_vbs.jpg
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/604604dc265f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:DROPPER_njrat_VBS
Create hunting rule
Author:SECUINFRA Falcon Team
Reference:https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427377/

Comments