MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39
SHA3-384 hash: 86188db7c2b4c114dcc922f30c6dbc325165908ec4052b5206b1aff9983c60aedbdabd34c21be8a6fe1742e1804ae02d
SHA1 hash: 914470db2542c77a0a3cdd05e1741750d9215084
MD5 hash: f1d0673aa240357bff2a38e7f16c9a7a
humanhash: november-diet-robert-snake
File name:verycuteflowerpictureimage.jpg
Download: download sample
Signature AgentTesla
Create hunting rule
File size:181'672 bytes
First seen:2024-05-10 10:36:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:ben2+mzXdnO2Nd99CObi1CocEW1aJK66n5yhtW0/5JpWn4clIg0BfbUZlu9gISsC:TNdA9JK6X/vcOg0BfcP
TLSH T1A904AF12A3EA0108B5B23F4D5E7295784A27BF95597AC63D05BC280E0BF3D449DE1BB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter NDA0E
Tags:AgentTesla vbs


Avatar
NDA0E
http://mmaemojo.hopto.org/verycuteflowerpictureimage.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/663df8dd54aa07c307f44030/reports/964d1a9b-06a9-4356-9c00-c05b3d4eb9a7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1439627
Signature
Connects to a pastebin service (likely for C&C)
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39/
Threat name:
Script-WScript.Downloader.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-05-10 10:37:05 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fcdnt3fsnogdqa4vgktnnksai3hhd6tz7muv7zp5t7fwj5odu4q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240510-qmskdsbh88/
Behaviour
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e94436cf65935c61c01ca99536b5520236738fd3cfd94aff2fecfe5b27ae1d39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2845464/
  
URLhaus
https://urlhaus.abuse.ch/url/2845484/

Comments