MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236
SHA3-384 hash: 1d4696eb56e6e111a57782cb7880f27ffc3ce5a95023f46af215641965c89f0c69dfc0ccefa1bb51c80916299eb5dd32
SHA1 hash: d0052f0e975666ca7d2d9981559e3c9da7c4a609
MD5 hash: 55ca9017564f39446b5ae20a50f5577f
humanhash: solar-india-michigan-don
File name:CD-PO9707979.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:576'492 bytes
First seen:2023-07-24 15:13:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:c5XNsn1+7HLDVZCMxzakmTWHM4dhLCUNR95MMyR4yKYbdHznXmxLJIrCsS4CYuGz:Zn+uMxzakO4rLCUNR95MMyR9
Threatray 5'167 similar samples on MalwareBazaar
TLSH T10AC4C1106E9F210475B37F9A5BE824A9872B7B755B35941E308B060A07DBD94ECF0F3A
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431201/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.17397.19406.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
VBS/Agent.BBN
Link:
https://www.hybrid-analysis.com/sample/b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278656
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278656 Sample: CD-PO9707979.vbs Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AgentTesla 2->38 40 2 other signatures 2->40 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 50 VBScript performs obfuscated calls to suspicious functions 8->50 52 Suspicious powershell command line found 8->52 54 Wscript starts Powershell (via cmd or directly) 8->54 56 Very long command line found 8->56 15 powershell.exe 15 8 8->15         started        process5 signatures6 58 Suspicious powershell command line found 15->58 60 Creates autostart registry keys with suspicious values (likely registry only malware) 15->60 62 Writes to foreign memory regions 15->62 64 2 other signatures 15->64 18 ilasm.exe 2 15->18         started        22 powershell.exe 12 15->22         started        24 conhost.exe 15->24         started        process7 dnsIp8 28 hermosanairobi.com 192.81.170.3, 26, 49695 AS-UPTIMECA Canada 18->28 30 mail.hermosanairobi.com 18->30 32 192.168.2.1 unknown unknown 18->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->44 46 Tries to steal Mail credentials (via file / registry access) 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 26 conhost.exe 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 13:02:34 UTC
File Type:
Text (VBS)
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgj4zvztlrx7okluyrdty6ciwgurpliiil3ve5jnsins4y7jai3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1423a5d778e4db72f847f8841bb1dc04babace000a2ac3047ec1b8403d797db7
AgentTesla
153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0
AgentTesla
37862b04beaaaf7007d5f3095ba345034ccaf5ce574edb01a76f97e895ecbb2a
AgentTesla
71f89701ea665ab429c5fabb91f89053ca165bfc489b54d963e7c4cfbb3338f3
AgentTesla
bf7683710b995d5fef6a54af481950c11be88d14f49b45815be07eb149ffb18c
AgentTesla
c6dc183e0a2208e4a95bbed33b18f8ec0fac159bc5aab10490df7d2dd78026b4
AgentTesla
cd45acb8d6995389a4667133e25d150f6f62e5dac5bed0f6f043d40bb59488d4
AgentTesla
d4ea06a7ded54d4950abd0a2d04487648da3f3fb0df2c1561196b02fbe0936f0
AgentTesla
de59559170968acc750e3a862b5125ecb1c0be7fd5bfd58cb1981e65fb147aaa
AgentTesla
+ 5'157 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230724-smb9hseg76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b193ccd7335c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/431201/

Comments