MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b27a2ffd8bfdfccbcc957473ac4492c13769913e2892bc41543e5b6bdf3aa2b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b27a2ffd8bfdfccbcc957473ac4492c13769913e2892bc41543e5b6bdf3aa2b8
SHA3-384 hash: 22f41f3337e55b1143b607e03a57edd8dbb94233d29b14ce1c09bb244ead11f7629c65c878b7df5c368630668650dce2
SHA1 hash: d05616bdaebb99b9666dd4748cb6ec65222db151
MD5 hash: e017a9394fedd56c4a42d2dfe2b4d869
humanhash: hawaii-uncle-queen-orange
File name:INVOICE PDF.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:56'906 bytes
First seen:2023-12-04 14:11:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:9+8+aDJAkChjJsCujxLeiO927WSidDyE1Uituy4tfC95fSx1JFr5rshhf/nKI2Zq:I8+aDJAkChVsCujxLeT9eWSidDyE1UiN
Threatray 3'704 similar samples on MalwareBazaar
TLSH T13F43875F5EB4028500FB1E5EB6C80895F4964853CB7D9C7838B8791A2D34F843D7AEAB
Reporter malwarelabnet
Tags:AgentTesla GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462385/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.14193.16041.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin masquerade powershell wscript
Link:
https://www.filescan.io/uploads/656dde2818cffa73b1d9563a/reports/796311bb-81ad-4d63-8dd6-a294b73dfebc/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/b27a2ffd8bfdfccbcc957473ac4492c13769913e2892bc41543e5b6bdf3aa2b8
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353240
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Powershell uses Background Intelligent Transfer Service (BITS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353240 Sample: INVOICE_PDF.vbs Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 27 theilovemepodcast.co.uk 2->27 29 ftp.mcmprint.net 2->29 31 4 other IPs or domains 2->31 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 6 other signatures 2->55 9 wscript.exe 1 2->9         started        12 svchost.exe 1 2 2->12         started        signatures3 process4 dnsIp5 65 VBScript performs obfuscated calls to suspicious functions 9->65 67 Suspicious powershell command line found 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 71 Very long command line found 9->71 15 powershell.exe 16 9->15         started        37 theilovemepodcast.co.uk 178.159.36.102, 49733, 49739, 49741 PIHL-ASRU Russian Federation 12->37 39 127.0.0.1 unknown unknown 12->39 signatures6 process7 signatures8 73 Suspicious powershell command line found 15->73 75 Very long command line found 15->75 18 powershell.exe 21 15->18         started        21 conhost.exe 15->21         started        process9 signatures10 41 Writes to foreign memory regions 18->41 43 Powershell uses Background Intelligent Transfer Service (BITS) 18->43 45 Maps a DLL or memory area into another process 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 23 MSBuild.exe 18 8 18->23         started        process11 dnsIp12 33 api4.ipify.org 104.237.62.212, 443, 49742 WEBNXUS United States 23->33 35 ftp.mcmprint.net 185.31.121.136, 21, 49743 RAX-ASBG Bulgaria 23->35 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->59 61 Tries to steal Mail credentials (via file / registry access) 23->61 63 Tries to harvest and steal browser information (history, passwords, etc) 23->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b27a2ffd8bfdfccbcc957473ac4492c13769913e2892bc41543e5b6bdf3aa2b8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-04 14:12:03 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wj5c77ml7x6mxtevorz2yresye3wtej6fcjlyqkuhznwxxz2uk4a._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4
AgentTesla
1ad1428fb0f50bf5e044e2d7ac93b7444df64af53394538b349623348c024f5a
AgentTesla
1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689
AgentTesla
47e71db77dc8258663e0715a3b8d4a1c9e105f76a0c771d79654fd03236bfd1e
AgentTesla
6bb2f555edca2bc8b12c33f65b84d05a570043de008ec8d9a31a6b4952f01d02
AgentTesla
a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
AgentTesla
d1d5c18ceb2963481df617894368f26c879edb5697a6d23fe6fa91e889ce01f6
AgentTesla
d42cc862ab4fb764a7a376e528a6373d2f939353d8ea223f2b1e1abd28c5cc84
AgentTesla
e278ecca391be13103b9584a01fd2bbd4fabdfef4756e3870e48140a304894e2
AgentTesla
f2ad5670f46f3be3f5bd5b6bd9d3122dad6a48664bad0e6f4418396e02ab8c00
AgentTesla
+ 3'694 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231204-rg93xsbf2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Guloader,Cloudeye
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b27a2ffd8bfd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b27a2ffd8bfdfccbcc957473ac4492c13769913e2892bc41543e5b6bdf3aa2b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462385/

Comments