MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
SHA3-384 hash: ab2c923354a1faaa6b28e0451a715bb6780e4a561e4268ab8f16312d5da987e4ab9b143397ce88111863aecbf6c2ba6b
SHA1 hash: 4194d0f9929a6fb5f43bf45d009e3fe4e3adb574
MD5 hash: e2a4a40fe8c8823ed5a73cdc9a8fa9b9
humanhash: spring-georgia-fifteen-one
File name:GREENN VALLEY PO REVISED NO363846348.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:140'936 bytes
First seen:2023-08-03 15:43:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:4s3BZiZdZA1R+fctQz2gDgfgoohjmvmlmZmzmWmXm3mFmGQjr+gMQ:TBZiZdZA1R+fctQXmvmlmZmzmWmXm3mk
Threatray 5'566 similar samples on MalwareBazaar
TLSH T18ED38D1091EA51CDF2B27F5357ED69A48F2BF7D1573A54AD3008070A8BABE84CE58372
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440115/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.9745.11850.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/64cbcb46cbfeb5bd57515794/reports/e76df277-7fa3-4055-a185-721df9fcef04/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Hworm
Link:
https://www.hybrid-analysis.com/sample/e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285219
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1285219 Sample: GREENN_VALLEY_PO_REVISED_NO... Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 24 uploaddeimagens.com.br 2->24 34 Found malware configuration 2->34 36 Antivirus detection for URL or domain 2->36 38 Yara detected AgentTesla 2->38 40 Sample uses string decryption to hide its real strings 2->40 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 48 VBScript performs obfuscated calls to suspicious functions 9->48 50 Suspicious powershell command line found 9->50 52 Wscript starts Powershell (via cmd or directly) 9->52 54 Very long command line found 9->54 12 powershell.exe 7 9->12         started        process6 signatures7 56 Suspicious powershell command line found 12->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 12->58 15 powershell.exe 14 7 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 26 uploaddeimagens.com.br 188.114.96.7, 443, 49709 CLOUDFLARENETUS European Union 15->26 28 195.178.120.24, 49711, 80 HEXAGLOBE-ASFR unknown 15->28 30 Writes to foreign memory regions 15->30 32 Injects a PE file into a foreign processes 15->32 21 RegAsm.exe 2 15->21         started        signatures10 process11 signatures12 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->42 44 Tries to steal Mail credentials (via file / registry access) 21->44 46 Tries to harvest and steal browser information (history, passwords, etc) 21->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-03 15:44:07 UTC
File Type:
Text (VBS)
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46qvpoqydhl27gs7m2vj4fq4zzuneb4s2el2sazs754xzo6yvksq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ed77fd89bf16db78b75431e59d9e15c2a284563cb77bc69d49a45823accca80
AgentTesla
142fdc315348f2ea29d8d3b7ff744c19fa7c6abef2c8f49f2206472d5c9b1ae8
AgentTesla
1b91aa318e9c011abed18662e8c577ddcb12499de26e2fd19bfb4a4ea81f7450
AgentTesla
4a6391439592ce3581a5d2c8f6195cc7e582d69222cf0e23d6bb0e8962abd1c2
AgentTesla
8b5d0256e791d798c930f8222b03609805f1bf08c2fb58cf8f777ee09c0e273b
AgentTesla
ab1144d8fcde912bc3e50f59f24eeb6fc6fb37cb5c20f194e41075e1baadb261
AgentTesla
d56f7dbd535d973bc8b14f22c58ab9c658e0bbe3f3139e7c16c619dba98ec664
AgentTesla
d997738192f067dfc261c68889e5d82cb0a25a7527c63ca5cedc9e1843018bbc
AgentTesla
e5422aab2b092de22741f596fef6ec85bb285f9ddee4efd3b1e5a165f7bddbaa
AgentTesla
+ 5'556 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230803-s6gncaea33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7a157ba1819/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440115/

Comments