MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69085a16f5e572b264f072bc0a883e73854b593a3162ca94e6ee825882b3815c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69085a16f5e572b264f072bc0a883e73854b593a3162ca94e6ee825882b3815c
SHA3-384 hash: 1399a2d66df54105a89bae5f52e335b5e84acdfcec8937b37d65933b52eb9972a5c7cefbb0814c2deb49824ddea8a32a
SHA1 hash: c370ac851b18e2e04ce65f6f2f5767806aa47c32
MD5 hash: 6326f95044c9c0f17bb021f2052be2ea
humanhash: yellow-muppet-nuts-emma
File name:pago devuelto.pdf.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:431'084 bytes
First seen:2023-01-12 15:43:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:buAQAeAoA0AIApAcAhAcAAAtAuAmAgADARAyA5AXAYAaAYARAT:f
Threatray 20'497 similar samples on MalwareBazaar
TLSH T14894034936AA064190D175E74FCBF4A48BB3F2F181395C76A4DC271BA3DF805A91A3E3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent09 Downloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/352332/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/63c02ac4a8d8c7dd03205a30/reports/f0c55047-3ea2-4973-b6a1-6a849fc297af/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AgentTesla, EICAR
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1150578
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected EICAR
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783306 Sample: pago devuelto.pdf.vbs Startdate: 12/01/2023 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus detection for URL or domain 2->30 32 5 other signatures 2->32 7 wscript.exe 1 2->7         started        process3 signatures4 34 VBScript performs obfuscated calls to suspicious functions 7->34 36 Suspicious powershell command line found 7->36 38 Wscript starts Powershell (via cmd or directly) 7->38 10 powershell.exe 14 15 7->10         started        process5 dnsIp6 20 172.174.176.153, 49709, 80 ATT-INTERNET4US United States 10->20 22 195.178.120.24, 49710, 80 HEXAGLOBE-ASFR unknown 10->22 40 Writes to foreign memory regions 10->40 42 Injects a PE file into a foreign processes 10->42 14 RegAsm.exe 2 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 24 sisoempresarialsas.com 51.161.116.202, 49713, 587 OVHFR Canada 14->24 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 Tries to steal Mail credentials (via file / registry access) 14->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->48 50 Tries to harvest and steal browser information (history, passwords, etc) 14->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69085a16f5e572b264f072bc0a883e73854b593a3162ca94e6ee825882b3815c/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-01-12 15:44:06 UTC
File Type:
Text (VBS)
AV detection:
2 of 41 (4.88%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=neefufxv4vzlezhqok6avcb6oocuwwj2gfrmvfhg52bfravtqfoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
8e2e582ccc2be1d5ea5593a373896315a1ca871ef7cb611bd46b5dd5f95ed388
AgentTesla
c4c1b70602f58b2f42190cd69dc5e3061da0ff44e27f771b3aa456d8789fea72
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
dfe7a0c2e727c18f17644d33c1db7547943da38d8c05b7103f865c88b6279896
AgentTesla
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
AgentTesla
f76fef3e72be648d3a32fb43e48276ef6f04cc0f5a21b89d58983c3232775adc
AgentTesla
f8067bcbd115afe0e506baf9b9de74c07f088a6b9a4cbdaa70826c26b0d0fa95
AgentTesla
+ 20'487 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230112-s6gncage54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://172.174.176.153/dll/NoStartUp.ppam
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69085a16f5e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69085a16f5e572b264f072bc0a883e73854b593a3162ca94e6ee825882b3815c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352332/

Comments