MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4293a8a871f20b700e122619df9fc6f3dff076df4180f89a59f3f959d9140f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4293a8a871f20b700e122619df9fc6f3dff076df4180f89a59f3f959d9140f1
SHA3-384 hash: 08e22f4ebf6515e9fb60fe9abfd3c077561bcbcd61a1b1d2ef031188308ca59fa4e87818679d18d0c797e035a27c65fe
SHA1 hash: ccf018fb85d4e0fb83080930633bfac86c6b3cfa
MD5 hash: ec9c61e8e1af8bc41ed62bc6ef21ae79
humanhash: king-golf-seven-crazy
File name:LOI_Vessel_Request.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'701 bytes
First seen:2025-04-17 11:28:40 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:hjdxTD55FnaaMjGwwLw5cvkMhwLsMgO5wLfhwLjGkM+wLYaMzbcwEsMwLKvzvzUb:94ALOUOv/UOvh
Threatray 3'785 similar samples on MalwareBazaar
TLSH T16E71E9E40CA99EBE3031C48DBCCEC9595DD07AAD3D0F3CE9461BB44BAB4414E6D60874
Magika javascript
Reporter abuse_ch
Tags:AgentTesla js

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800e81f2203b3e10cd0312c
Tags:
obfuscate xtreme shell lien
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6800e61389fec6b88b9e82c2/reports/878c0cb6-26d7-40d8-8ede-92543f31e74a/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/e4293a8a871f20b700e122619df9fc6f3dff076df4180f89a59f3f959d9140f1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667438
Signature
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: MSBuild connects to smtp port
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667438 Sample: LOI_Vessel_Request.js Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 35 ia801700.us.archive.org 2->35 37 aguout12.lovestoblog.com 2->37 39 4 other IPs or domains 2->39 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 12 other signatures 2->61 9 wscript.exe 1 1 2->9         started        13 svchost.exe 1 1 2->13         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 45 aguout12.lovestoblog.com 185.27.134.110, 49681, 49689, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 9->45 71 System process connects to network (likely due to code injection or exploit) 9->71 73 JScript performs obfuscated calls to suspicious functions 9->73 75 Suspicious powershell command line found 9->75 77 3 other signatures 9->77 17 powershell.exe 14 16 9->17         started        47 127.0.0.1 unknown unknown 13->47 signatures6 process7 dnsIp8 31 ia801700.us.archive.org 207.241.233.30, 443, 49688 INTERNET-ARCHIVEUS United States 17->31 33 archive.org 207.241.224.2, 443, 49687 INTERNET-ARCHIVEUS United States 17->33 49 Found Tor onion address 17->49 51 Writes to foreign memory regions 17->51 53 Injects a PE file into a foreign processes 17->53 21 MSBuild.exe 15 2 17->21         started        25 cmd.exe 1 17->25         started        27 conhost.exe 17->27         started        signatures9 process10 dnsIp11 41 162.254.34.31, 49691, 587 VIVIDHOSTINGUS United States 21->41 43 api.ipify.org 172.67.74.152, 443, 49690 CLOUDFLARENETUS United States 21->43 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 2 other signatures 21->69 29 conhost.exe 25->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4293a8a871f20b700e122619df9fc6f3dff076df4180f89a59f3f959d9140f1/
Threat name:
Script-JS.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-04-17 06:26:11 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qutvcuhd4qloahbejqz36p4n4676b3n6qma7cnft47zlhmridyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
471319aad8312f3f5da24f6366c3fd68698cfcd2b19db31d2209f14212760296
AgentTesla
530e2499f47e4d6bca0afedb9b122fe60c7b619682467cd05d476003ddd93173
AgentTesla
5b7b1cae3c130dc78a48a191418d3cc0adba2945a7b27fb8c645fccc5c8a18c5
AgentTesla
7c0946cd8a228f35db68a9bd702e283a3ab9f41113bede7ed206e9af5f824c9e
AgentTesla
7f2d295bca7cb02c5263a780c6d6d334c0c83b926b295cb89dcdcc26b27c6906
AgentTesla
8cd65c1a0f043d6b2b5630c07e7e5aff039eea2d3fee8f7c6bba6e1c41a6efec
AgentTesla
b0f580611f79b3506b8ffcb745951d7de5811d3f91261d1fc08b247c32649688
AgentTesla
e76a26d2f6641b7ea6f3cde3a349ddc36b4c77c791bbad5b769d16e2f405e47b
AgentTesla
error
AgentTesla
f0b9b0709d906b96267804708a14f5f40b33518b558d8041776c9b62f3b36824
AgentTesla
+ 3'775 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250417-nlqy3asyfx/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments