MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
SHA3-384 hash: 255f13e12ba1b57d70dfd4126844b080dd5e379ce22fa02c848d46daa221599d05cc3c1201aff77727f9a1ee4ef2f33b
SHA1 hash: 1a379838129904188cd08ffe9c645a5daba3bea5
MD5 hash: 90480a98c3f20658dcc43fa6db7bd562
humanhash: sixteen-ten-zebra-march
File name:Enquiry.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:231'420 bytes
First seen:2024-11-29 12:43:42 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSq+QdBA5gC/2KZgSq+Qdt:C2KZgSq+QdBA5gC/2KZgSq+QdR2KZgSm
Threatray 3'440 similar samples on MalwareBazaar
TLSH T11A34C30225D6B008F1F21F6297D919F94F67B5AA263D531DB8841F4E2BE2990CE437B3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter Anonymous
Tags:AgentTesla js

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6749b84804c232bff3b4b87e
Tags:
xtreme gumen virus shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6749b7174b0e5551e6079616/reports/2f0a9af3-5b5a-40ef-ae9e-765d1b96dbf1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565241
Signature
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: MSBuild connects to smtp port
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565241 Sample: Enquiry.js Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 27 talhayerlikaya.com.tr 2->27 29 mail.detarcoopmedical.com 2->29 31 9 other IPs or domains 2->31 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 65 JScript performs obfuscated calls to suspicious functions 9->65 67 Suspicious powershell command line found 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 71 3 other signatures 9->71 12 powershell.exe 7 9->12         started        process6 signatures7 73 Suspicious powershell command line found 12->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 12->75 15 powershell.exe 14 16 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 37 ip.1016.filemail.com 142.215.209.77, 443, 49730 HUMBER-COLLEGECA Canada 15->37 39 talhayerlikaya.com.tr 194.31.64.251, 443, 49736 BURSABILTR unknown 15->39 41 Writes to foreign memory regions 15->41 43 Injects a PE file into a foreign processes 15->43 21 MSBuild.exe 15 2 15->21         started        25 MSBuild.exe 15->25         started        signatures10 process11 dnsIp12 33 detarcoopmedical.com 161.97.124.96, 49739, 49740, 587 CONTABODE United States 21->33 35 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 21->35 53 Tries to steal Mail credentials (via file / registry access) 21->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->55 57 Tries to harvest and steal browser information (history, passwords, etc) 21->57 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 25->63 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899/
Threat name:
Text.Malware.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-11-29 09:03:53 UTC
File Type:
Text (JavaScript)
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psjtfx2w7qagd7eder226q6rzfddnjpyoeabdm4vfxeyofxsbcmq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
AgentTesla
36714617ab3acacb11df096fb64e7ced344b241ebfdd501a60077c931c89577a
AgentTesla
3f354bdb3557ffb64892e788c439adc0da9f7fd4f39b143a1cc2d8f7059b4488
AgentTesla
5a813cfc61c2b1c738d0c5785812dc28f461631a70d98b970fc9810f709dbd94
AgentTesla
70576f474296d70ab1182339945255eeed65d7f5e8b71b153a56b9e2c0478ec5
AgentTesla
741297ecc59d39296f360b100032cdb120af2eb4ccc5b91f370c0eacb9ee7e25
AgentTesla
886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23
AgentTesla
c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c
AgentTesla
error
AgentTesla
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
AgentTesla
+ 3'430 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/241129-pygftswkf1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Malware Config
Dropper Extraction:
https://1016.filemail.com/api/file/get?filekey=0RUgbZ-8FbUsLkmTHKk7vmioQRpHGD8qVMkgf-v_Yna_Wu4TdrJepse70JUd-j9UMfry&pk_vid=e0109638c9bfb9571732794374a1ff6c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Java Script (JS) js 7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments