MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93
SHA3-384 hash: 205e06c8c01b8420377c40fe06f6dfc375fb8136841bc76438f5712c362bdb649541ea0ee674d1272dde8e8921e7a7db
SHA1 hash: d9126422c986b254ef06296768a9f6f65743093c
MD5 hash: bf3bb6d76d480941f01f473e07bc61fa
humanhash: fourteen-south-cardinal-steak
File name:S_D_93020304994440.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:300'634 bytes
First seen:2023-08-22 07:44:05 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:6zi6wrr2crrSreAQWhLpdwauSLDm0qaQrrrrd2BkLSWBsNw/2w2r2hoT/REHT3HH:6O/2w2r2hoTu
Threatray 5'616 similar samples on MalwareBazaar
TLSH T19754BF1020EE648DB1B37F921BED7CE94F6BB7A51A3A645D204C434B8B53E84CE55B32
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444074/
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Script.Hworm
Link:
https://www.hybrid-analysis.com/sample/bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294941
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294941 Sample: S_D_93020304994440.vbs Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 5 other signatures 2->77 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 85 VBScript performs obfuscated calls to suspicious functions 8->85 87 Suspicious powershell command line found 8->87 89 Wscript starts Powershell (via cmd or directly) 8->89 13 cmd.exe 1 8->13         started        16 powershell.exe 5 8->16         started        91 Very long command line found 11->91 18 powershell.exe 11->18         started        20 cmd.exe 1 11->20         started        process5 signatures6 109 Wscript starts Powershell (via cmd or directly) 13->109 111 Uses ping.exe to sleep 13->111 113 Uses ping.exe to check the status of other devices and networks 13->113 22 cmd.exe 1 13->22         started        25 PING.EXE 1 13->25         started        28 conhost.exe 13->28         started        30 powershell.exe 14 16 16->30         started        32 conhost.exe 16->32         started        34 powershell.exe 18->34         started        36 conhost.exe 18->36         started        38 cmd.exe 1 20->38         started        40 2 other processes 20->40 process7 dnsIp8 79 Wscript starts Powershell (via cmd or directly) 22->79 42 powershell.exe 9 22->42         started        55 127.0.0.1 unknown unknown 25->55 57 188.114.96.7, 443, 49775 CLOUDFLARENETUS European Union 30->57 81 Writes to foreign memory regions 30->81 83 Injects a PE file into a foreign processes 30->83 46 RegAsm.exe 15 2 30->46         started        59 uploaddeimagens.com.br 188.114.97.7, 443, 49774 CLOUDFLARENETUS European Union 34->59 61 192.210.175.4, 49776, 49777, 80 AS-COLOCROSSINGUS United States 34->61 63 192.168.2.1 unknown unknown 34->63 49 RegAsm.exe 2 34->49         started        51 powershell.exe 9 38->51         started        signatures9 process10 dnsIp11 53 C:\Users\user\AppData\Roaming\...\ZBLm.vbs, Unicode 42->53 dropped 93 Suspicious powershell command line found 42->93 95 Drops VBS files to the startup folder 42->95 97 Found suspicious powershell code related to unpacking or dynamic code loading 42->97 65 api4.ipify.org 173.231.16.76, 443, 49778 WEBNXUS United States 46->65 67 api.telegram.org 149.154.167.220, 443, 49779, 49780 TELEGRAMRU United Kingdom 46->67 69 api.ipify.org 46->69 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->99 101 Tries to steal Mail credentials (via file / registry access) 46->101 103 Tries to harvest and steal browser information (history, passwords, etc) 46->103 105 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 49->105 107 May check the online IP address of the machine 49->107 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93/
Threat name:
Script-WScript.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 07:36:04 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xuopztcswxvncbzjkwh5utuie7grc3a5tbjj7wbbocowrehyrojq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
044cb562792bad9d4aa1fa99fcb642ed6bf4dd49af86938b75add85d021fa101
AgentTesla
1e5d0ecba17e0de6cf37f9a37e31c9c9a5883df357b0499592598d3921804b3a
AgentTesla
2ad4c4f27ff93553beebc1e426bd73cb6415c88bb233442fdc727de557a95c2d
AgentTesla
4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7
AgentTesla
ac9e25f541065a26fb3dcb26ac76ca5c5ffd44a03973a07f049730f0760d4b04
AgentTesla
c98f9d2a27cf5718577e4b9a2ed0f8bb606b1a5a79bf0f69b454ccd3d8522c15
AgentTesla
d2f74dbb944eb5699de861b7044b5aa9c9f3904d166bdab705a4024b0bc34eaf
AgentTesla
e1b7acfbe15a0fde89a1bb1f0f51142061b2ff50bc6c33c770a40f1c43b0d7f6
AgentTesla
e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
AgentTesla
f03f1ae3d3d6bde555d9bc841f8b11ee27459cb9937ae50298b24acb3190552e
AgentTesla
+ 5'606 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230822-jld72sag38/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd1cfccc52b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs bd1cfccc52b5ead10729558fda4e8827cd116c1d98529fd821709d6890f88b93

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444074/

Comments