MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565
SHA3-384 hash: 22f08eaf6d6d4e9f487eccf94d19f7f9ca3e5c309e14994b8912e0b4b9d05ca7597d7bf0a42c0715cf4be6aaa41be9a1
SHA1 hash: 557a73ef7fb5f4679c2e634376586144d3947f19
MD5 hash: 30ebc5bb661195c81b6dd31e59f4302a
humanhash: emma-helium-high-ten
File name:Transferencia.vbe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'163 bytes
First seen:2023-06-27 08:18:01 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:application/octet-stream
ssdeep 24:GZqI8bAQTkgPEl1R613be7y4ezMnVdxdjejDdAiedskkA/6aIRw:GUbPXElDKay4ezMTxByA7ds9I
Threatray 4'133 similar samples on MalwareBazaar
TLSH T12B21E7313461B7270CA24CBC4E3DB89092B4EC184A729CBCC5617EC940B7645960015E
Reporter lowmal3
Tags:AgentTesla vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/649a9b3b4a3ab977be88fa5e/reports/034740fb-2376-43c4-8670-1f3265bbc4a2/overview
Verdict:
Malicious
Labled as:
VBS/Downloader.aav
Link:
https://www.hybrid-analysis.com/sample/7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1261938
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894966 Sample: Transferencia.vbe Startdate: 27/06/2023 Architecture: WINDOWS Score: 92 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 9 wscript.exe 1 2->9         started        process3 signatures4 45 Wscript starts Powershell (via cmd or directly) 9->45 47 PowerShell case anomaly found 9->47 12 cmd.exe 1 9->12         started        process5 signatures6 49 Wscript starts Powershell (via cmd or directly) 12->49 51 Very long command line found 12->51 53 Encrypted powershell cmdline option found 12->53 55 PowerShell case anomaly found 12->55 15 powershell.exe 14 17 12->15         started        18 conhost.exe 12->18         started        process7 dnsIp8 31 purecry.ydns.eu 85.209.134.253, 49693, 80 CMCSUS Germany 15->31 20 cmd.exe 2 15->20         started        process9 file10 29 C:\Users\user\AppData\...\Xxqyinqn.bat.exe, PE32 20->29 dropped 41 Very long command line found 20->41 24 Xxqyinqn.bat.exe 9 20->24         started        27 attrib.exe 1 20->27         started        signatures11 process12 signatures13 43 Found suspicious powershell code related to unpacking or dynamic code loading 24->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 08:19:05 UTC
File Type:
Binary
Extracted files:
1
AV detection:
6 of 37 (16.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqsijemwcxicakeac4djifo7xnmjxacswisdty3ha77lwqs5qvsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38b7e813402447704258ca274ea142fc05f52da70913bbd3d31392a855287f8e
AgentTesla
54b8c91ae0485d795f9821b01eb839bd682aee18df6a0b54d14d6eb2a2c0e83d
AgentTesla
6ff0433a9bb7d6a3a7dd345dbf1c12850ec13d3e72898815ed595c9605752dbe
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
cf754ba143aca919dc53b8869d18ceb489014003092559062018193d6e0928bb
AgentTesla
eeb2bc1861ce16da1ce6bf7a28f19b6096454dd3f1133d3cc4f89e6eadf67dfa
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
+ 4'123 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230627-j69vfsde33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Sets file to hidden
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbe) vbe 7c2484919615d020288017069415dfbb589b8052b22439e36707febb425d8565

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments