MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
SHA3-384 hash:	3a1c224d8468868e847e5721ccbf27891fb8078702826860794bc3fd3bd988ec07d5b1803e1d22dac671375b16570caf
SHA1 hash:	1fe4483c54fa7da0ea4ee769a36d8717da12e0d1
MD5 hash:	3d54b88bf2b6bcd1126ef4eb20d9e9f9
humanhash:	football-spaghetti-oklahoma-football
File name:	droidddxxxPayload.vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	95'044 bytes
First seen:	2023-05-08 20:33:46 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	768:mnHGdUBDCKtfYjE3Luo4+eaWZxidnOk9p0YFPk9Wai2Y:OHGd+CKtfSo4+sxidnOk9p0YFNai2Y
Threatray	3'164 similar samples on MalwareBazaar
TLSH	T1C393B162A3ED5108F2F33F50B9FD65214A3BFEE99C36C94D428456AD46A2940DCB1733
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Reporter	pr0xylife
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/387605/

Detection(s):

SecuriteInfo.com.URL.Downldr.CU.gen.Eldorado.12714.14707.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

sload

Link:

https://www.filescan.io/uploads/64595cba890517bfb2b82eac/reports/97e3a2c0-3dfa-48b5-81fb-c22945e85b05/overview

Verdict:

Malicious

Labled as:

URL/Downldr.CU.gen

Link:

https://www.hybrid-analysis.com/sample/d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15

Result

Verdict:

UNKNOWN

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1228658

Signature

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Suspicious command line found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2023-05-08 20:34:06 UTC

File Type:

Text

AV detection:

8 of 24 (33.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3flxuep3sphqtqra64gqq7sv5nghyx7nau325pmacpt6agunlukq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

AgentTesla

316483bf87a8932bf0d84dd527cce96da936a5612b005f5051b2656c39a9be62

AgentTesla

32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db

AgentTesla

478bd9421ff11177d8974922f1eec334f1af15845054ce1dbc42b1c9bbd4a484

AgentTesla

7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64

AgentTesla

976671946ff6f75662ad1e8945d3cffd6f5cdfdc4a675a6ca50c6030d589ef46

AgentTesla

e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c

AgentTesla

f07483b6c09732c8d5e094bd2e2b405477ddbf8e220c12bd7982bc132cf44a04

AgentTesla

fec6af49d1a7c7b4bf3af5e663b80ff142788e7d79b312a2180ec7b8b89f18d9

AgentTesla

+ 3'154 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/230508-zceefsed6z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Blocklisted process makes network request

Malware Config

Dropper Extraction:

http://172.174.176.153/dll/new_rump_vb.net.txt

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d9577a11fb93/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_VBS_Wscript_Shell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon