MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f
SHA3-384 hash:	a5d6ca1816972a675c80c63419e8863cd05e7382cc3b105aaf71e82de8b257fe26d1835b2a394e1b9016e5ce9b4545a6
SHA1 hash:	b695883ec353c3057aa9a32fcdc8ae0ef1200add
MD5 hash:	c3311fc86de7fa9f8526047246a5b93f
humanhash:	summer-comet-mike-music
File name:	REQUEST.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	681'334 bytes
First seen:	2023-06-01 14:55:00 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	3072:J8G1wfkYFEhNe4VTdRnTT8w4TWf1tnVKT2DZqsAgHDp3+og0S7wQzS18f8d6bb/D:dwfkYFoDZq5
Threatray	3'259 similar samples on MalwareBazaar
TLSH	T15CE46061A6DE1C84F2F26B1056BD53258B2BF9D58C3D918D88CCC99F7BEB600C861763
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	abuse_ch
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/394436/

Detection(s):

SecuriteInfo.com.Trojan.Siggen20.57697.19415.2375.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6478b14d0a98d88b592abe68/reports/8a54564b-6cb5-47ed-aca6-603bcb7fe437/overview

Verdict:

Malicious

Labled as:

VBS/Downloader.acb

Link:

https://www.hybrid-analysis.com/sample/6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f

Result

Verdict:

UNKNOWN

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1246991

Signature

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

VBScript performs obfuscated calls to suspicious functions

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2023-06-01 13:35:29 UTC

File Type:

Text (VBS)

AV detection:

7 of 37 (18.92%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6wwbp3fera4wbldtkoylmp7qgzjkdyg3flybksfy7cpemoutbpq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0b6ef2401f66dd90ec0f2222c5316d47dbde2c4502688dad63fdf2c15ebdc9d4

AgentTesla

514588821779c53d189b87b776bfc74f63c5901cdd3e007c55c0216eba21d544

AgentTesla

5e28056a4a8f3275f77157f332981a439fa4f2dc61f11f687b6526d1415eacef

AgentTesla

68ac3b25bda1eefa79313ec5ad1b03349dd0f97c3f7838748138d093603fc1c3

AgentTesla

7bb2941c908a15630c6ebd963fe19e0294277e84f3e399a95a75f4d990d687f8

AgentTesla

966af9af27325071b52d531da4c2cf95cf3aa14a4e2ee17caee17d27ee8a54e2

AgentTesla

db5aac25dcb71e739e6f5571cb7d10ba2f30c891d4a19307d6bf8c549b2074cb

AgentTesla

f865712074af18fd3e39087342df5c158f0ae596a753eaedc0ddd724ce231d95

AgentTesla

+ 3'249 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230601-safq6seg93/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Blocklisted process makes network request

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6fad60bf6524/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

vbs 6fad60bf652441cb05639a9d85b1ff81b2950f06d95780aa45c7c4f231d4985f

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/394436/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample