MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555
SHA3-384 hash: a0b08d02ee9a1840ef203912d7f4855fc03f4687d80977eeff2f096ef9294eb72f54c7a0e6b94271a1345cf4ed21dda9
SHA1 hash: 42a7e934d359063e9aa01a8de81887d204f1547b
MD5 hash: a0ee44301fe95623774af24b911dc7e9
humanhash: high-mountain-south-texas
File name:Letter of Intent - Granular Urea1.vbe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:49'793 bytes
First seen:2026-02-26 18:41:45 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 384:7s58/UZCNCL6Hli9WOCzD7i1/wFUifmz2bwyJhTSBaHmDa:7ypZUCLUQWOqI/waia7y3sra
Threatray 3'705 similar samples on MalwareBazaar
TLSH T14723A474290C45EF24D3EAB4B084A7E3FE6C0A5C9FED664F515487DA1A3EA8734C3981
Magika vba
Reporter abuse_ch
Tags:AgentTesla vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.PUA.VBS.RC4-decode.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a094108fffa866e3b2806c
Tags:
ransomware backdoor shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/69a0940891ad9169e5345870/reports/9686112d-94f4-4277-bdf5-aec36b326ff8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555
Verdict:
Malicious
File Type:
vbs
Detections:
PDM:Trojan.Win32.Generic HEUR:Worm.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555/results?tab=lookup
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875537
Signature
Bypasses PowerShell execution policy
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic JS Downloader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875537 Sample: Letter of Intent - Granular... Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 30 bildify.co 2->30 32 api.ipify.org 2->32 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 8 wscript.exe 16 2->8         started        signatures3 process4 dnsIp5 34 bildify.co 168.119.69.39, 443, 49681 HETZNER-ASDE Germany 8->34 22 C:\Users\user\AppData\Local\...\SECURE[1].Ps1, Macintosh 8->22 dropped 24 C:\Temp\DMAXNWOO.ps1, Macintosh 8->24 dropped 52 System process connects to network (likely due to code injection or exploit) 8->52 54 Wscript starts Powershell (via cmd or directly) 8->54 56 Bypasses PowerShell execution policy 8->56 58 3 other signatures 8->58 13 powershell.exe 16 8->13         started        file6 signatures7 process8 signatures9 60 Writes to foreign memory regions 13->60 62 Injects a PE file into a foreign processes 13->62 16 aspnet_compiler.exe 15 2 13->16         started        20 conhost.exe 13->20         started        process10 dnsIp11 26 162.254.34.31, 49693, 587 VIVIDHOSTINGUS United States 16->26 28 api.ipify.org 104.26.13.205, 443, 49692 CLOUDFLARENETUS United States 16->28 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->38 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 2 other signatures 16->42 signatures12
Score:
33%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555
Verdict:
Malware
YARA:
1 match(es)
Tags:
Microsoft.XMLDOM VBScript
Link:
https://app.malva.re/file/a0ee44301fe95623774af24b911dc7e9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555
Threat name:
Script-WScript.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-25 02:25:37 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcjwa7zob6mmb7hqmbgel6dqphhh4ebxwmc7ogmixcuqgradkvkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
fantomcrypt
Create hunting rule
Similar samples:
239ec64b8c00bdc8603baaf441fc33bb14c14800051cf2d48d80345ff2966d9a
AgentTesla
b6303d1d53b5d47e74365e0eff2afc20a5447fef8e8e85416b7ea91d164537fe
AgentTesla
e2fb7528d5b4036d155a73293e3c4a97a96c6365677e89213a00fb825268290f
AgentTesla
e4f80d58918b691b1732a984c5f1801965c5f9330c8fb50e1cf1e1a19705abd8
AgentTesla
error
AgentTesla
+ 3'695 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/260226-xcg48scw6b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
AgentTesla
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a893607f2e0f98c0fcf0604c45f87079ce7e1037b305f71988b8a90344035555

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments