MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f
SHA3-384 hash: 54f827f380a496160e4f0703201b449b356e0474cb2e1147ee7b07933e760d752492dd8ec306950a58b0ae008c58af67
SHA1 hash: bdc86ae73f8ea542af15ed6a5643b1a9cfd8ea51
MD5 hash: fd5d9dd54f30ebeda49b3f3d9d57d1c6
humanhash: item-victor-robert-zulu
File name:183287857-050118-sanlccjavap0004-6561_PDF.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:440 bytes
First seen:2021-10-21 18:18:54 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:SCw9wCJhIgmVeljehfMWUBAzdqsH3wkxCXg0TC:9wtrp+fMWPnwHQcC
Threatray 12'195 similar samples on MalwareBazaar
TLSH T139F0DF5FF41F77E70A21B853F1F7D224992085021BA8C67D926283CD4B654763B2217E
Reporter abuse_ch
Tags:AgentTesla RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199168/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.48093.6388.17334.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6171af189a5a1e91c5cc21ca/reports/6e63a086-60b6-40bc-b997-4ad5be2d3e73/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874804
Signature
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f/
Threat name:
Script-WScript.Downloader.Powdow
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 21:36:58 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxubwjxxn4afaqeolgu5gydob3tni5h7vhrcsymh6wbiqt5c6wpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f
AgentTesla
3bd531bf7f5b3d7b331a325ebc1f71d8b59c5db9b0c03287137beb0931012a09
AgentTesla
6200e6a721132d15b787150d21ed3d1a153dcafa0068d7785286a84820d2cb94
AgentTesla
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
AgentTesla
b9c0b6dd76212644b551d5b8ea745b3f14f6c92365e767836382a4c8ea54906b
AgentTesla
be210663fa2f732768adccd12d26b56cc23740d433481f748ce7401c75f41e72
AgentTesla
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
AgentTesla
db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de
AgentTesla
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
AgentTesla
+ 12'185 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211021-wx6gwsbedl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument
Dropper Extraction:
http://202.55.132.106/Bypass3.txt
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75e81b26f76f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/202.55.132.106/
Cape
Cape
https://www.capesandbox.com/analysis/199168/

Comments