MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e
SHA3-384 hash: e86adbfc885e09d07552874e8140ba6e8909ee1752437921a4651e4832603cba660f01e3d71a322cc9ccfd89309862d7
SHA1 hash: d55b5acf3a63fbc1e6154303c6c43cee9817a074
MD5 hash: ec8dee0c18ddbd51ba9b3f3da9b3ee5f
humanhash: foxtrot-kitten-idaho-pasta
File name:IFB.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:144'970 bytes
First seen:2023-08-10 18:44:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:nzJdTomfZjKy+Wi+WP+Wv+WT+WO+W2+WI+Wi+Wo+WV+WF+WA+Wz+WS+Wp+Wj+W8e:zJdTomfZj2CnPTW2QaQ91AbqxDsVgwZF
Threatray 4'422 similar samples on MalwareBazaar
TLSH T129E3A911A5CFA48CF2723F43179E75E98F1BFBE61626606D3144130ACBAAE94CE58731
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442021/
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8400.13734.31103.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64d5302fdaa9db5053444dcd/reports/0e9d838b-9d14-443a-a8bb-3e657305fe2f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1289623
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289623 Sample: IFB.vbs Startdate: 10/08/2023 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 Sigma detected: Drops script at startup location 2->56 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 60 VBScript performs obfuscated calls to suspicious functions 8->60 62 Suspicious powershell command line found 8->62 64 Wscript starts Powershell (via cmd or directly) 8->64 13 cmd.exe 1 8->13         started        16 powershell.exe 5 8->16         started        66 Very long command line found 11->66 18 cmd.exe 1 11->18         started        20 powershell.exe 11->20         started        process5 signatures6 74 Wscript starts Powershell (via cmd or directly) 13->74 76 Uses ping.exe to sleep 13->76 78 Uses ping.exe to check the status of other devices and networks 13->78 22 cmd.exe 1 13->22         started        25 PING.EXE 1 13->25         started        28 conhost.exe 13->28         started        80 Suspicious powershell command line found 16->80 30 powershell.exe 3 16->30         started        32 conhost.exe 16->32         started        34 cmd.exe 1 18->34         started        36 conhost.exe 18->36         started        38 PING.EXE 1 18->38         started        40 conhost.exe 20->40         started        process7 dnsIp8 58 Wscript starts Powershell (via cmd or directly) 22->58 42 powershell.exe 9 22->42         started        50 127.0.0.1 unknown unknown 25->50 46 powershell.exe 9 34->46         started        signatures9 process10 file11 48 C:\Users\user\AppData\Roaming\...\Uh.vbs, Unicode 42->48 dropped 68 Suspicious powershell command line found 42->68 70 Drops VBS files to the startup folder 42->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 42->72 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 18:44:18 UTC
File Type:
Text (VBS)
AV detection:
7 of 23 (30.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgtszsvnfqrbkadc2woxs5codkz2uwqqnkqig6655hqfzszzzepa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
AgentTesla
3f92752540e0658dc96fef662e8f96f9552383c8b8da50ea7707b35727a645de
AgentTesla
604604dc265f5866cfdae29e7ad4dc304a18a23feaf3c69ee3154461d62dbaf7
AgentTesla
6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb
AgentTesla
8e7fbeb2dd4fecea39d5194595357509c3d9a0bdfd5d8f962815f97090e9c831
AgentTesla
cdb463c9aeff4b1d0090647e3baa27f32360301b0be912489f2b32e1f469650e
AgentTesla
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
AgentTesla
defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3
AgentTesla
e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c
AgentTesla
+ 4'412 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230810-xd26ssge66/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9a72ccaad2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/b9a72ccaad2c22150062d59d79744e1ab3aa5a106aa0837bdde9e05ccb39c91e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/442021/
  
URLhaus
https://urlhaus.abuse.ch/url/2703703/

Comments