MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65
SHA3-384 hash: 7bad79d0d374eb90ac25e0d737e8e4236590a5dd727712e87eaafeadf21c96d77207e3e0d7d030bd887f6d8c72f9d6ce
SHA1 hash: 1aed757262d5386d619fbcbc0b843920e714ebbc
MD5 hash: 4135e4cf4bb6c09eb96a2170b05c5a6e
humanhash: mexico-eleven-artist-eighteen
File name:nuevo pedidoO06708..PDF_____________________.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:379'572 bytes
First seen:2023-07-06 06:22:39 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:rkkkkkYIr6lJlclGhInVJ0iSMrxVWY3jS6QHJkkkkktkkkkku54lA:rkkkkkYIr6lJlclGh9pkkkkktkkkkka
Threatray 4'500 similar samples on MalwareBazaar
TLSH T1B484651370DADCCD61E27A63075FF8B90FFAB6D4462E4199A1DC430A86C5D9C8E486E3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/408900/
Detection(s):
SecuriteInfo.com.GT.VB.ObfDldr.1.CEEF6066.7931.31041.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64a65dc68583eaadb34f0746/reports/96937d2e-4a96-4e91-a2e9-862af829e409/overview
Verdict:
Malicious
Labled as:
GT:VB.ObfDldr.1
Link:
https://www.hybrid-analysis.com/sample/9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267802
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267802 Sample: nuevo_pedidoO06708..PDF____... Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 5 other signatures 2->35 8 wscript.exe 1 2->8         started        process3 signatures4 43 VBScript performs obfuscated calls to suspicious functions 8->43 45 Suspicious powershell command line found 8->45 47 Wscript starts Powershell (via cmd or directly) 8->47 11 powershell.exe 7 8->11         started        process5 signatures6 49 Suspicious powershell command line found 11->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 11->51 14 powershell.exe 14 14 11->14         started        18 conhost.exe 11->18         started        process7 dnsIp8 25 cryptersandtools.minhacasa.tv 186.210.128.242, 49695, 80 ALGARTELECOMSABR Brazil 14->25 27 195.178.120.24, 49696, 80 HEXAGLOBE-ASFR unknown 14->27 53 Writes to foreign memory regions 14->53 55 Injects a PE file into a foreign processes 14->55 20 RegAsm.exe 2 14->20         started        23 RegAsm.exe 14->23         started        signatures9 process10 signatures11 37 Tries to steal Mail credentials (via file / registry access) 20->37 39 Tries to harvest and steal browser information (history, passwords, etc) 20->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->41
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 15:52:23 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5q74dev2hbaehvts3acnohfxwktvcwpdrciumv73omf6r3h3jsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
168a35684463330d195c42fa3a922b6f5f76c1482859249ddedd5db5298a4db8
AgentTesla
2c37a2e69e921672a2a9a14b9af4def2a610518cdfcab485bd7cb6bbbd7e2980
AgentTesla
3c89cb1c6c74747eadb40f158ea38751bd1a61acdc789b86f0acd0a107b689e9
AgentTesla
5d9b4040ddbe244b25286a81045c02f81f9ba9995f9583405eb11211ad3554c3
AgentTesla
7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9
AgentTesla
8514688f25e263c5e78673ecf3275a0eb4d49bb7d155924d1a889b4f3a7eec49
AgentTesla
b8aa2fc67d0bcc2e13632e68773ea7d7264e77d1798c6bf1eb8b1c8e9ae41df2
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
f87578f93b7160f35ba86268b9ebfa63e795113c42a4eb12c1b632d3fc3ed7e3
AgentTesla
+ 4'490 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230706-g5h91ahb96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla
Malware Config
Dropper Extraction:
http://cryptersandtools.minhacasa.tv/e/e
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f61fe0c95d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/408900/

Comments