MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb
SHA3-384 hash: dec3f61cdfa2e8de45efa717665370593a7f4569d16e8dfbd14d32df6cdf615419cbc62954f29fdf178b7ba0f2631645
SHA1 hash: b6b1d1c89412ba55c9417f5dd8512059f273357e
MD5 hash: 6b831a0819656427ce2ecba949ebae4c
humanhash: michigan-fanta-sierra-river
File name:Spedizione Nicaragua_PDF.vbe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:47'505 bytes
First seen:2023-12-22 07:12:13 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 768:0kh/m5yKbAlNMIh07GLC2KlF3dkBCZ5RXYINgvRbNupK3BksGbzGe:0s/m5Chc4mTDZ5RIIN4Bqb9
Threatray 718 similar samples on MalwareBazaar
TLSH T1E72339A3DE4A1A1E8BBE2749DC309D45817884DA051E5029BEB90B8E2F0754CD3FF74B
Reporter abuse_ch
Tags:AgentTesla vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.7031.22578.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin masquerade wscript
Link:
https://www.filescan.io/uploads/65853704f4b6e5e163546166/reports/8c64f46b-9a69-43bb-83d0-d0e3b0b4fb8e/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366031
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell uses Background Intelligent Transfer Service (BITS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366031 Sample: Spedizione_Nicaragua_PDF.vbe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 31 mail.inkomech.com 2->31 33 googlehosted.l.googleusercontent.com 2->33 35 5 other IPs or domains 2->35 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 5 other signatures 2->63 9 wscript.exe 1 2->9         started        12 svchost.exe 1 2 2->12         started        signatures3 process4 dnsIp5 65 Suspicious powershell command line found 9->65 67 Wscript starts Powershell (via cmd or directly) 9->67 69 Very long command line found 9->69 71 2 other signatures 9->71 15 powershell.exe 14 9->15         started        43 drive.google.com 192.178.50.46, 443, 49712, 49714 GOOGLEUS United States 12->43 45 googlehosted.l.googleusercontent.com 192.178.50.65, 443, 49713, 49715 GOOGLEUS United States 12->45 47 127.0.0.1 unknown unknown 12->47 signatures6 process7 signatures8 81 Suspicious powershell command line found 15->81 83 Very long command line found 15->83 18 powershell.exe 20 15->18         started        21 conhost.exe 15->21         started        23 cmd.exe 1 15->23         started        process9 signatures10 49 Writes to foreign memory regions 18->49 51 Powershell uses Background Intelligent Transfer Service (BITS) 18->51 53 Maps a DLL or memory area into another process 18->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 18->55 25 MSBuild.exe 15 8 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 37 mail.inkomech.com 103.6.196.109, 49723, 49724, 49725 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 25->37 39 api4.ipify.org 104.237.62.212, 443, 49722 WEBNXUS United States 25->39 41 142.250.217.161, 443, 49721 GOOGLEUS United States 25->41 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->75 77 Tries to steal Mail credentials (via file / registry access) 25->77 79 Tries to harvest and steal browser information (history, passwords, etc) 25->79 signatures13
Score:
94%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 01:10:54 UTC
File Type:
Text (VBS)
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxajwbfsefika5szgw4h25v6kxrlrilysmnsh3iejtb4ldtc6dvq._file
Verdict:
malicious
Similar samples:
1c8ba53a0df3d48bd031a348f36b5d75ac78db8d94987a3368a9c49429b47222
AgentTesla
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
AgentTesla
404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
AgentTesla
7384dec8a7a13e1709dff93154c0cd796055798a19fe470f30c211a991d46849
AgentTesla
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
AgentTesla
92ce47945cd3524d616b5ebc20899479c6a9fae199169322a24290d19e9adfb0
AgentTesla
afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
AgentTesla
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
AgentTesla
e479c0b49b6fe13242fc767e1db58067b61e4c16ff7068d3b39c4d8c2836428f
AgentTesla
f68f1af4eb16d6d185899ace2e951c196a80591bde4134cf290e69eea91d5472
AgentTesla
+ 708 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231222-h13zaabfej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5c09b04b221/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbe) vbe b5c09b04b22150a0765935b87d76be55e2b8a178931b23ed044cc3c58e62f0eb

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments