MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9
SHA3-384 hash: 8ed8f80329f6a26252276c1d7a95c4490c0ace6be765b40bb36eab2e520554e51336743f493dcb2ae1090e8b2e1c30bd
SHA1 hash: b4dcc3d58f74c4da27fe75e1faa2e8713c9f7005
MD5 hash: fbf556f08b2db4e6c606a9c041b910dc
humanhash: butter-lemon-comet-victor
File name:New Order Requirment.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'235 bytes
First seen:2021-12-21 13:58:40 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:Tf7mjD0XaII2zB5yd7Y1aJWvWk45V8jV2UPQK27ALxOQ1017:Tf7mv0KII2zBo1JyWkIV852U27AtQ
Threatray 13'587 similar samples on MalwareBazaar
TLSH T11941A69E3657F030A4690D93FD6B5C6D9AF1435A247CC4807A0CCFE01B399CC9681ABE
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215661/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.5838.12404.9394.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Tags:
valyria wacatac
Link:
https://www.filescan.io/uploads/61c1dda84ab5c44cbf4b8600/reports/7400ae58-c345-4125-b689-d56883968dfd/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/910976
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543450 Sample: New Order Requirment.vbs Startdate: 21/12/2021 Architecture: WINDOWS Score: 84 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 7 wscript.exe 14 2->7         started        11 wscript.exe 2->11         started        process3 dnsIp4 40 hotelsidro.me 136.243.132.169, 49756, 49777, 80 HETZNER-ASDE Germany 7->40 46 System process connects to network (likely due to code injection or exploit) 7->46 48 Wscript starts Powershell (via cmd or directly) 7->48 50 Very long command line found 7->50 52 2 other signatures 7->52 13 cmd.exe 7->13         started        17 powershell.exe 14 20 7->17         started        20 powershell.exe 11->20         started        22 cmd.exe 11->22         started        signatures5 process6 dnsIp7 32 New Order Requirment.vbs:Zone.Identifier, ASCII 13->32 dropped 34 C:\Users\user\...34ew Order Requirment.vbs, ASCII 13->34 dropped 54 Command shell drops VBS files 13->54 24 conhost.exe 13->24         started        36 wizumiya.co.jp 52.68.15.223, 443, 49760, 49761 AMAZON-02US United States 17->36 38 192.168.2.1 unknown unknown 17->38 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 13:59:08 UTC
File Type:
Text (VBS)
AV detection:
6 of 43 (13.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgyqulgnlmyil5ebts7mtqklmplbcemyneny5gogehooebqp4tmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
075d98e62c3f5fcbff5c865c72ca862087052e56f0bca4d564595be759f5f2cd
AgentTesla
0a756ae180555f71ca41152082bd43b3362b9bb4e14d3144d1c6694dc19cd087
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
4462d72d344373067a4a0556c1ef87e3fb07d8b1de7a5baa4580c3ed2b4d37c4
AgentTesla
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
AgentTesla
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
AgentTesla
8a1f4c5dd931193a30be778708127588cce692ddef793d2b80c6c100b85113f0
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
cdfa65b74115db177e3d52f4a2b41b2e2e47f08c8e88c689e8ad8425cddf352a
AgentTesla
+ 13'577 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211221-rad2xaedhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2121726525:AAFrqm4Wr9ZjKe10NHMlMz_4y4K5MTixoBk/sendDocument
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a9b10a2ccd5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs a9b10a2ccd5b3085f4819cbec9c14b63d6111198691b8e99c621dce2060fe4d9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/215661/

Comments