MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18
SHA3-384 hash: 7475d0f639eef7c9bb8bc1f041ab38dcedd7cbbc954d2e28c04b431b01ecab142bf473d39775b041ec8be5d543921622
SHA1 hash: 53c9c98bc3df7c6de2c6e9bbd673358db884c42a
MD5 hash: 9693079116e9abb7ac2160191c8164af
humanhash: rugby-wisconsin-batman-lion
File name:nicko.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:369'712 bytes
First seen:2023-10-20 17:13:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:KEIUhmBXWnFph3UKWhmynwrcw9Ot5xlDxuz0sspjyJIbEMZDcp/C44/mqIDbDxUo:KEIUhmBXWnFphkKWNnPw9Ot5xlDxuz0+
Threatray 590 similar samples on MalwareBazaar
TLSH T1A774E86079EF914CB6B37F635BE9B9D98E6FF7622626505E204403074723E80CE91B72
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.26053.9224.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329435
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell download and load assembly
Sigma detected: RegAsm connects to smtp port
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329435 Sample: nicko.vbs Startdate: 20/10/2023 Architecture: WINDOWS Score: 100 25 mail.industrialgh.com 2->25 27 industrialgh.com 2->27 29 3 other IPs or domains 2->29 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 6 other signatures 2->49 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 59 VBScript performs obfuscated calls to suspicious functions 9->59 61 Suspicious powershell command line found 9->61 63 Wscript starts Powershell (via cmd or directly) 9->63 65 3 other signatures 9->65 12 powershell.exe 7 9->12         started        process6 signatures7 67 Suspicious powershell command line found 12->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 12->69 15 powershell.exe 14 15 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 35 imageupload.io 104.21.83.102, 443, 49713 CLOUDFLARENETUS United States 15->35 37 193.42.33.51, 49714, 80 EENET-ASEE Germany 15->37 39 Writes to foreign memory regions 15->39 41 Injects a PE file into a foreign processes 15->41 21 RegAsm.exe 15 2 15->21         started        signatures10 process11 dnsIp12 31 industrialgh.com 68.70.164.13, 49716, 587 NETSOURCEUS United States 21->31 33 api4.ipify.org 104.237.62.212, 443, 49715 WEBNXUS United States 21->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->53 55 Tries to steal Mail credentials (via file / registry access) 21->55 57 2 other signatures 21->57 signatures13
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-10-20 17:12:58 UTC
File Type:
Text (VBS)
AV detection:
6 of 22 (27.27%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pxacplnggewtd4g667rbowh2snosrgvotsa63yirdlqfvjpzuma._file
Verdict:
malicious
Similar samples:
11e812da55ed18d2337cf3249cf00df14fd1442f1914dcd177eb36df329d3e2e
AgentTesla
1a8561c3f0514187a4575028d0425ffd30c9da14d9bc5eece8ee0828e16891dd
AgentTesla
4c586bb1d1197451bf41ce8be61cfa82d237ddbfcaf3815303d8ff393803721b
AgentTesla
5c485141f97385046d2a64a4a93c1ad50682cd97e3e5cbe1b3f6e9e0472efd56
AgentTesla
5dde21be9d6b2fffde1eeab3dd6fc370bf6c47f047d9dc7e16c5e9f0ead13b96
AgentTesla
62534a146dc4b71bb4861d8924706ff594a92884257e540b6bd444e0b580f0f0
AgentTesla
9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380
AgentTesla
fe36c4907fb678f6da358dc16c0bc9115f92a5a2fcc51d0aa8b496a4d0bd3e65
AgentTesla
+ 580 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231020-vrftlsfh94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Detect ZGRat V1
ZGRat
Malware Config
Dropper Extraction:
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3ee013d6d31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments