MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7
SHA3-384 hash: 42e722dee33b80dc1a960deaf8eabac9b8ae8ea3e64717a786eb35685c9aa5d11586a1e8b561ff6fd6fa73205b34c6ce
SHA1 hash: 4bc38283fa5125ed4be1c355abeabfe02078eacd
MD5 hash: 09d8ed8ad21fb7ce085d4cf8597def84
humanhash: early-apart-enemy-timing
File name:shimwed.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:217'774 bytes
First seen:2025-09-18 12:01:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:3MsOUywxfdrGV/Ug/FJIjoKKrw9Q67amr3eb9Xo+Cyd1s6YX3gJ:3jRyw9dvgdJIjoKKrw9Q63gJ
TLSH T1032416D71489213056E29173B897017ADBA013BBB30B75D9F42C4AE7DB7A8CE50AF24D
Magika vba
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28147/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbf56188b954439247be40
Tags:
obfuscate xtreme spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
opendir opendir
Link:
https://www.filescan.io/uploads/68cbf61d73af424b47e5f680/reports/7e54b8a6-4d32-480f-9f2a-ab72bc91bd0e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-17T17:40:00Z UTC
Last seen:
2025-09-17T17:40:00Z UTC
Hits:
~10
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779969
Signature
Creates processes via WMI
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/09d8ed8ad21fb7ce085d4cf8597def84
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-18 06:56:18 UTC
AV detection:
2 of 38 (5.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=onmd6jqkekxygjynrhokvg2ebsc5ivfvmlritbuyc6ihln36qtdq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250918-para5azqy6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://educa.rr.gov.br/resources/img/1.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Visual Basic Script (vbs) vbs 73583f260a22af83270d89dcaa9b440c85d454b562e2898698179075b77e84c7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3626042/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28147/

Comments