MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c28d591dee22fc0e4c729d2d6fa990e1c0c09acf9dfcc2ad20db3e0fb2e6df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5c28d591dee22fc0e4c729d2d6fa990e1c0c09acf9dfcc2ad20db3e0fb2e6df
SHA3-384 hash: 072360318d3f9430d3614d84ad0f02be4e8e167304a41c14213cb6d8a6c29424a149fad18a82696113bd42f9bf925080
SHA1 hash: a947f8eb752681d3807a12255e029b293657d539
MD5 hash: 2a269f11b6fbfe69ebfce26adf8b12de
humanhash: missouri-summer-blossom-vermont
File name:mondyyyy.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:430'832 bytes
First seen:2023-01-09 17:13:47 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:wrM+Akk27tUYRq6s6XRdFa2bQqjQnf+D7r:wrM+Akk27tUYRqf6XDFa2bQqjwf+D7r
Threatray 20'444 similar samples on MalwareBazaar
TLSH T1C39419113195608881D498E78EDBF528D777F3F10B349CABA0ED170B5BCF8829915BEA
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter pr0xylife
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351228/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63bc4b5ca70bef46551df6ee/reports/542e1f88-40b0-400a-b8c7-d6e7b1048312/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148189
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780921 Sample: mondyyyy.vbs Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 2 other signatures 2->34 7 wscript.exe 1 2->7         started        process3 signatures4 36 VBScript performs obfuscated calls to suspicious functions 7->36 38 Suspicious powershell command line found 7->38 40 Wscript starts Powershell (via cmd or directly) 7->40 10 powershell.exe 14 15 7->10         started        process5 dnsIp6 22 172.174.176.153, 49691, 80 ATT-INTERNET4US United States 10->22 24 195.178.120.24, 49692, 80 HEXAGLOBE-ASFR unknown 10->24 42 Writes to foreign memory regions 10->42 44 Injects a PE file into a foreign processes 10->44 14 RegAsm.exe 15 2 10->14         started        18 RegAsm.exe 10->18         started        20 conhost.exe 10->20         started        signatures7 process8 dnsIp9 26 ftp.ocp.mx 205.251.153.232, 21, 49699 NTHLUS United States 14->26 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->46 48 Tries to steal Mail credentials (via file / registry access) 14->48 50 Tries to harvest and steal ftp login credentials 14->50 52 Tries to harvest and steal browser information (history, passwords, etc) 14->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5c28d591dee22fc0e4c729d2d6fa990e1c0c09acf9dfcc2ad20db3e0fb2e6df/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 17:14:06 UTC
File Type:
Text (VBS)
AV detection:
3 of 41 (7.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxbi2wi55yrpydsmokos235jsdq4bqe2z6o7zqvnednt4d5s43pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6a62efe173a9eedf1175a22e079547b476828850019a0847491d0d6b61e7afb4
AgentTesla
6faebec8aa383683e58352a37735ddad2d4137e757080a0d4f781f411e0ed6b3
AgentTesla
71640a3e775e5585e125364f33908a2c182f3e8682c9937ab1e3659bc9a04bd6
AgentTesla
86874045d7c7065215ec5b09a6e7e37429b16691711086bc2a0452bb01851437
AgentTesla
88273e3c8b21831b5e66320d0abadc521ab5e435b3ee82f2d537bcee048b6572
AgentTesla
8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507
AgentTesla
a896460d87b28a154dc6d789298bc39545cf0569f2f32a3d5e92fd52d1777f23
AgentTesla
c0a0b110892a3d8beef47a6e63b255c731265165b15c0f7b8452404ab1080fcc
AgentTesla
+ 20'434 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230109-vrzlqaad61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla payload
AgentTesla
Malware Config
Dropper Extraction:
http://172.174.176.153/dll/NoStartUp.ppam
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5c28d591dee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5c28d591dee22fc0e4c729d2d6fa990e1c0c09acf9dfcc2ad20db3e0fb2e6df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351228/

Comments