MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d
SHA3-384 hash: c7128ae71dcf507e5a83f1114cbe0453cc914b4642301153a79137e690763ced78a9191135578b79a63913980ecbb623
SHA1 hash: 32096c6bfb8597f3db1c8b22df721ddac0a954ef
MD5 hash: 814785163f535e1427f2d748f2385320
humanhash: six-mockingbird-salami-harry
File name:CD09598534.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:600'106 bytes
First seen:2023-07-24 15:13:34 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:c5XNsn1+7HLDVZGMxzakgTTvLnM49BLi0Nx95MsyR4yIYbdHznXmxLJIrCsS4CYz:Zn+qMxzakV4rLi0Nx95MsyR7
Threatray 5'172 similar samples on MalwareBazaar
TLSH T1A8D434116EDF100479B3BE9957E834A60B7B7B712A39C01E619E140917EBCC0EDA4F7A
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431200/
Detection(s):
SecuriteInfo.com.VBS.Agent.BBN.17504.10146.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Suspicious
Labled as:
VBS/Agent.BBN
Link:
https://www.hybrid-analysis.com/sample/d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278657
Signature
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278657 Sample: CD09598534.vbs Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 63 VBScript performs obfuscated calls to suspicious functions 8->63 65 Suspicious powershell command line found 8->65 67 Wscript starts Powershell (via cmd or directly) 8->67 69 Very long command line found 8->69 15 powershell.exe 15 8 8->15         started        process5 dnsIp6 35 yorkrefrigerent.md 195.178.106.125, 443, 49720 TOPHOST-MD-ASRMoldovaChisinauParis18ARO Romania 15->35 37 192.168.2.1 unknown unknown 15->37 39 Suspicious powershell command line found 15->39 41 Creates autostart registry keys with suspicious values (likely registry only malware) 15->41 43 Writes to foreign memory regions 15->43 45 2 other signatures 15->45 19 MSBuild.exe 2 15->19         started        23 MSBuild.exe 15->23         started        25 powershell.exe 12 15->25         started        27 2 other processes 15->27 signatures7 process8 dnsIp9 31 itzayanaland.com 107.161.75.133, 49721, 587 IWEB-ASCA Canada 19->31 33 mail.itzayanaland.com 19->33 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->55 57 Tries to steal Mail credentials (via file / registry access) 19->57 59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->61 29 conhost.exe 25->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 15:14:07 UTC
File Type:
Text (VBS)
AV detection:
6 of 38 (15.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fkhqs7njczwrefic3d5kcftc7n4nnigyxcxey4jmenz4fbmaigq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1423a5d778e4db72f847f8841bb1dc04babace000a2ac3047ec1b8403d797db7
AgentTesla
153c3fbb73c454e077ba248871f1159f8d6c9df46d5f42d35ac6d99713ab09b0
AgentTesla
2deb6ee58cf11a940854730c33d0af2c0e36f5f1ab8d25e6a28961464eababbb
AgentTesla
5f8a41561a896a1b39c6adac5d21ada3fce2b6640deaa44fc22824f84c8064f1
AgentTesla
71f89701ea665ab429c5fabb91f89053ca165bfc489b54d963e7c4cfbb3338f3
AgentTesla
a444429e646f262a1380c2ec47c7459010b36f1ded2174026584d43070974da7
AgentTesla
b193ccd7335c6ff72974c4473c7848b1a917ad0842f752752d921b2e63e90236
AgentTesla
c9463aa342eb6e6aee71c05a6780f7a467dfb7e86330567a830ce490289bc236
AgentTesla
+ 5'162 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230724-smb9hseg75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d154784bed48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs d154784bed48b36890a816c7d508b317dbc6b506c5c5726389611b9e142c020d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/431200/

Comments