MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de
SHA3-384 hash: ab1c78d98f5418f1bb4ef85c598c9ef4b9800da4fd2e4de3e808875d021de2d03b95137595f2bc4dea51e72361fdc889
SHA1 hash: 55a21624adb860fe924db2c74d4086abba173de1
MD5 hash: 146b7ae8e3fba240e1b15b58059e980e
humanhash: white-helium-happy-pizza
File name:Receipt.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'054 bytes
First seen:2021-05-26 17:40:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:4h5qTmYnphXvhJRUGOhScr47sBMXpyHx4URwLS:4vQmYnphJJRUGgSWGQMgniS
Threatray 5'190 similar samples on MalwareBazaar
TLSH C611F60A7B0877B34032A2DD1BD129D943DE49D4F3A5F1710DCBC4C6FEB86A89A550A4
Reporter abuse_ch
Tags:AgentTesla vbs


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162546/
Detection(s):
SecuriteInfo.com..12547.27338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792774
Signature
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425172 Sample: Receipt.vbs Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Yara detected AgentTesla 2->33 35 Yara detected AgentTesla 2->35 37 2 other signatures 2->37 8 wscript.exe 1 2->8         started        process3 signatures4 43 VBScript performs obfuscated calls to suspicious functions 8->43 45 Wscript starts Powershell (via cmd or directly) 8->45 47 Obfuscated command line found 8->47 11 powershell.exe 14 22 8->11         started        process5 dnsIp6 25 ia601503.us.archive.org 207.241.227.113, 443, 49706 INTERNET-ARCHIVEUS United States 11->25 27 ia601403.us.archive.org 207.241.227.123, 443, 49715 INTERNET-ARCHIVEUS United States 11->27 29 ia601406.us.archive.org 207.241.227.126, 443, 49714 INTERNET-ARCHIVEUS United States 11->29 49 Creates an undocumented autostart registry key 11->49 15 powershell.exe 23 11->15         started        18 conhost.exe 11->18         started        signatures7 process8 signatures9 51 Writes to foreign memory regions 15->51 53 Injects a PE file into a foreign processes 15->53 20 aspnet_compiler.exe 2 15->20         started        23 aspnet_compiler.exe 2 15->23         started        process10 signatures11 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 17:41:10 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oksklcrhaf5cjyk6ua4xqcazzzkhlkvcflfezma4thdtm76wdpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10
AgentTesla
10a30b9776bb8981976fe678e4538e68c8fbbb0a57f34934978b3df7238be8d5
AgentTesla
33b2e62e08629bd097db93a9307d133cfc2fb8732c10a75c2bce199f56408e9c
AgentTesla
3bd531bf7f5b3d7b331a325ebc1f71d8b59c5db9b0c03287137beb0931012a09
AgentTesla
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
AgentTesla
777a1b5eb79e751f4684f825ef2a5df80433a2d4e20f921d4f747e904793f3d2
AgentTesla
be210663fa2f732768adccd12d26b56cc23740d433481f748ce7401c75f41e72
AgentTesla
c8fd60e02919b35511d2de6b238933cacc3b5cfb75598076a3923e5544ee44ae
AgentTesla
cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117
AgentTesla
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
AgentTesla
+ 5'180 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210526-hthwk2489j/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Malware Config
Dropper Extraction:
https://ia601503.us.archive.org/9/items/all-gdteh/ALL_gdteh.TXT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/162546/

Comments