MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8
SHA3-384 hash: 6bbf8c171fd9dd1a1f7532d1f03c426468279b438e28624256d0496b946e164425a9990df08e42ee9de52dbaa005ef04
SHA1 hash: 79e677b68313d7866199bd1b48e39ec0fed164df
MD5 hash: 9024ed9423885c42335a151dfcefc576
humanhash: avocado-ten-north-berlin
File name:IFE Gmbh,and Engineering Request for Quotation (RFQ).vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:326'730 bytes
First seen:2023-07-06 06:51:23 UTC
Last seen:2023-07-07 07:00:36 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:zBBcRvxarYgnF600/tKx3y4ZJDlIh6dJhq:zBBnq6DlIh6dJhq
Threatray 4'514 similar samples on MalwareBazaar
TLSH T11B64F203719ACCE962D2BA67415BFD784BF7F9C9943D927A44CC4A0E87D290C89067E3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter lowmal3
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/408905/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11885.4804.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
lolbin replace
Link:
https://www.filescan.io/uploads/64a66494784d6094d919d6e2/reports/04a2b10b-492e-40cc-9214-9dbcd3dd9d1d/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267821
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267821 Sample: IFE_Gmbh,and_Engineering_Re... Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 8 wscript.exe 1 2->8         started        process3 signatures4 52 VBScript performs obfuscated calls to suspicious functions 8->52 54 Suspicious powershell command line found 8->54 56 Wscript starts Powershell (via cmd or directly) 8->56 11 powershell.exe 7 8->11         started        process5 signatures6 58 Suspicious powershell command line found 11->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 11->60 14 powershell.exe 14 15 11->14         started        18 conhost.exe 11->18         started        process7 dnsIp8 32 cryptersandtools.minhacasa.tv 186.210.128.242, 49693, 80 ALGARTELECOMSABR Brazil 14->32 34 194.180.48.80, 49694, 80 LVLT-10753US Germany 14->34 62 Writes to foreign memory regions 14->62 64 Injects a PE file into a foreign processes 14->64 20 RegAsm.exe 2 14->20         started        24 RegAsm.exe 14->24         started        signatures9 process10 dnsIp11 26 seylan-lk.icu 194.36.191.196, 49695, 587 HSAE Netherlands 20->26 28 mail.seylan-lk.icu 20->28 30 192.168.2.1 unknown unknown 20->30 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->44 46 Tries to steal Mail credentials (via file / registry access) 20->46 48 Tries to harvest and steal browser information (history, passwords, etc) 20->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->50 signatures12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 06:52:07 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxb3hffw7jsh4e7tw4uhq3auuwhejl47c5cwgvikpovvpayd2hea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b30ef2d36a2b3017821cbd3e6ae4d141be417c0fc72d8289deb79dfedbea4b9
AgentTesla
1d0cf9a5e034371075cf0a328d98c53f4eeb74325d61ee956222346ebb1f5497
AgentTesla
2c37a2e69e921672a2a9a14b9af4def2a610518cdfcab485bd7cb6bbbd7e2980
AgentTesla
3bf7b7244aaf94354649a6fcecee9add95d2e4768e8d60fb342202801ab16139
AgentTesla
53e575805dc9d69c41f366e65946a7d4adf051f322f463f70e9b2f80d50450cb
AgentTesla
5ab22e56eeec62218a25df2b827421b501188978e80fa4ec531479d38ea3f5f2
AgentTesla
5d9b4040ddbe244b25286a81045c02f81f9ba9995f9583405eb11211ad3554c3
AgentTesla
9f61fe0c95d1c2021eb396c026b8e5bd953a8acf1c448a32bfdb985f4767da65
AgentTesla
b8aa2fc67d0bcc2e13632e68773ea7d7264e77d1798c6bf1eb8b1c8e9ae41df2
AgentTesla
cd917c86fe27ecd3feeca690377817bce1f4034830e6d68a19dbffc8c61e97bb
AgentTesla
+ 4'504 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230706-hm3rcsag7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla
Malware Config
Dropper Extraction:
http://cryptersandtools.minhacasa.tv/e/e
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdc3b394b6fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2b94576fd11ef2c01df19e1170274e70e5c63dc307959b6470a94df6d5b8d823

AgentTesla

Visual Basic Script (vbs) vbs bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/408905/
  
Dropped by
SHA256 2b94576fd11ef2c01df19e1170274e70e5c63dc307959b6470a94df6d5b8d823
  
Dropped by
MD5 459a79b6583f9c4cfc2fc3d5df6f7988

Comments