MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a740871b977faf4c7158d82cecda551928ac5dcc39fbb84a32ae575b184af39a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	a740871b977faf4c7158d82cecda551928ac5dcc39fbb84a32ae575b184af39a
SHA3-384 hash:	174440a79f0a818d5af42fd80b0a150ee5ea9dcc954b245c9503a6a2308290a409035fe2e6dd5381466bb6408b9d9308
SHA1 hash:	0f850507dc8f0cfca06de8bdcd27008e010b0547
MD5 hash:	30ed6ca87aec5a50ec756331f4fd75bb
humanhash:	kentucky-oregon-charlie-papa
File name:	inquiry.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	666'139 bytes
First seen:	2021-10-29 17:56:32 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12288:nLGMGDOwYMf6p4TYKGGo6bnzsuMF3uKGq+uFueVCt:nLGZk6bnopsUbVm
Threatray	12'415 similar samples on MalwareBazaar
TLSH	T168E4CF32BF48BDC9539E2D83E0095A191DF25B27CBA256CCF7C1164728AEE1CDF16588
Reporter	abuse_ch
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879493

Signature

.NET source code contains very large array initializations

Benign windows process drops PE files

Contains functionality to register a low level keyboard hook

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a740871b977faf4c7158d82cecda551928ac5dcc39fbb84a32ae575b184af39a/

Threat name:

Script-WScript.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-10-29 17:57:05 UTC

AV detection:

19 of 44 (43.18%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5aiog4xp6xuy4ky3awozwsvdeukyxomhh53qsrsvzlvwgck6ona._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0d94a60fa6bccf878f6ad33a340f123e17dd9a7f377fa9cf93a7b636e420651d

AgentTesla

12f2ee1cc6d06299b1a044cae83201d6550122a5e4ea1b3211415aba57059f14

AgentTesla

48865de84706ce8b33c56f8653ea34498293c80e080e2e04d1df8a7d17129455

AgentTesla

51d5859f266a7b373d71b9fd71d2eec4975a8d35fb01486f624b9235120e12d8

AgentTesla

5aa7f54ea9b684e8f17b5e34d4ea0ee92352377144a902f349128068a572291b

AgentTesla

61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d

AgentTesla

6c4970960cedd30c379036655f72940e297a316efe355f29d81b98a1b1a7f9c6

AgentTesla

9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08

AgentTesla

+ 12'405 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/211029-wjk9ssaebm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a740871b977f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/a740871b977faf4c7158d82cecda551928ac5dcc39fbb84a32ae575b184af39a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample