MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9
SHA3-384 hash: b7b7e119954784ecbe36ea1ac62e2675b2c6f9debfded5349accbdc0a2c832aec1c8049cb83e3ff43ad63d1bcf39e43d
SHA1 hash: 0def6082281daf52858e76a79ac31bb4da08e87e
MD5 hash: d2dc5fb25a4861242df613b6ed6e48bd
humanhash: purple-winner-burger-illinois
File name:12Vbs Online.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:296'946 bytes
First seen:2023-06-19 16:54:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:fmdNpoy/kxxI6CWWaWxKWWW4QCWRWtad4Vt5n5W5XNsn1W7HLDVZdMxzakYTIvsV:nNnWBMxzakm
Threatray 3'758 similar samples on MalwareBazaar
TLSH T17D545602A7FE1549F2F37A056E7A50A94F37BDA16939C94C408C1A0E0BF3E548D65BB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter malwarelabnet
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400623/
Detection(s):
SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/649088671bc6cbebc9b57af2/reports/db1dfe4b-9ca1-42f7-a1fa-2a51b1274017/overview
Verdict:
Malicious
Labled as:
Generik.FHIWTZK trojan
Link:
https://www.hybrid-analysis.com/sample/7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257592
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9/
Threat name:
Win32.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-06-17 00:57:12 UTC
File Type:
Text (VBS)
AV detection:
2 of 37 (5.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=or2mlhrm5v5vks6ahimqwm3jb5savd2blm4p4ipczkqkpizscxeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d04d01b0189a6d129f0f8dab1afdd3aeef49eafad1d208c93f7bc3dc0b36394
AgentTesla
168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
AgentTesla
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
AgentTesla
3c89cb1c6c74747eadb40f158ea38751bd1a61acdc789b86f0acd0a107b689e9
AgentTesla
6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb
AgentTesla
cdb463c9aeff4b1d0090647e3baa27f32360301b0be912489f2b32e1f469650e
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c
AgentTesla
f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
AgentTesla
+ 3'748 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230619-ve4pxafb56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Malware Config
Dropper Extraction:
http://servercrypter.ddns.com.br/e/e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400623/

Comments