MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3
SHA3-384 hash: aabdf6f0d2502a0bbf6a0861464c7082a095bd96ef51be5d2be4c1e10398f9ed6b256ee8b368c7fa9efdf1b1df8ff093
SHA1 hash: a1aa8f3cc9b99eff6120f711e021db6ca3432981
MD5 hash: 6d84a10af01b3059cf93eee48adcd194
humanhash: burger-bluebird-kansas-tennis
File name:confirme.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:111'360 bytes
First seen:2023-07-21 06:24:19 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:O0IIIIc0IIIIa0IIIIp0IIIId0IIIIL0IIIIV0IIIIH0IIIII0IIIIm0IIIIY0IT:H
TLSH T182B3BE0161EB61CC72B33B1657EF95D88F2BB6961B3A518E2148270F4B83E54CE56B33
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla js


Avatar
abuse_ch
Payload URL:
https://uploaddeimagens.com.br/images/004/550/617/original/js.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-2314.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277328
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: RegAsm connects to smtp port
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277328 Sample: confirme.js Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: RegAsm connects to smtp port 2->43 45 2 other signatures 2->45 8 wscript.exe 1 2->8         started        process3 signatures4 47 JScript performs obfuscated calls to suspicious functions 8->47 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 11 powershell.exe 15 17 8->11         started        process5 dnsIp6 25 uploaddeimagens.com.br 188.114.96.7, 443, 49698 CLOUDFLARENETUS European Union 11->25 53 Suspicious powershell command line found 11->53 55 Creates autostart registry keys with suspicious values (likely registry only malware) 11->55 57 Writes to foreign memory regions 11->57 59 2 other signatures 11->59 15 RegAsm.exe 2 11->15         started        19 powershell.exe 9 11->19         started        21 conhost.exe 11->21         started        signatures7 process8 dnsIp9 27 mail.grasscarpet.ae 162.241.224.191, 49700, 587 UNIFIEDLAYER-AS-1US United States 15->27 29 192.168.2.1 unknown unknown 15->29 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->31 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 23 conhost.exe 19->23         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-21 06:25:06 UTC
File Type:
Text (JavaScript)
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=337lwbcs3e4tclhi4p6sjvnyrjdbjnf22gyqeunkvr2rcwzpngrq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-hhg9vscd55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/550/617/original/js.jpg?1689806287
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Java Script (JS) js defebb0452d939312ce8e3fd24d5b88a4614b4bad1b10251aaac75115b2f69a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2686879/
  
Delivery method
Distributed via e-mail attachment

Comments