MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55
SHA3-384 hash: b6c744eafcff2ea6aeaf31041bb429a730b517892930985f0d5c8fe0d7096afddf994bdb3ece39421c1a0c7e4f3cd769
SHA1 hash: 7d8ed101097c449619ef3d434c201b0f29411369
MD5 hash: 03bb2a6737a3ff4db90f03e325f166dd
humanhash: seven-shade-fruit-eighteen
File name:rRFQ_ORDER_severalparts20252603.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'880 bytes
First seen:2025-03-26 07:00:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:l/YxvgdO9n/91I1JvSZ5YmVjBtueJrlz3ouNy1ZMRwn9sda72v:lgFgdUFCXKzBttxYin0mas
Threatray 3'611 similar samples on MalwareBazaar
TLSH T129A14B553C52DA2CB9B7E4A58C2E0508D2D8D76B1738AF82B52E40850F3E1BCA36B6C4
Magika vba
Reporter FXOLabs
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.NetWorm.005148c41.9104.32217.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3a60a12b5dc44da3e2b99
Tags:
shell spawn sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex dropper evasive masquerade obfuscated obfuscated opendir opendir packed ping powershell
Link:
https://www.filescan.io/uploads/67e3a60af274bf2d8e226de5/reports/b0c2f558-9ceb-4b1c-8a5b-3d3bdac39e20/overview
Verdict:
Suspicious
Labled as:
NetWorm
Link:
https://www.hybrid-analysis.com/sample/e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648780
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648780 Sample: rRFQ_ORDER_severalparts2025... Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 38 larisantiara.com 2->38 40 ip-api.com 2->40 42 google.com 2->42 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 7 other signatures 2->56 9 wscript.exe 16 2->9         started        signatures3 process4 dnsIp5 46 larisantiara.com 101.99.77.186, 443, 49694, 49696 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->46 32 C:\Users\user\AppData\Local\...\DDAC[1].ps1, ASCII 9->32 dropped 34 C:\Temp\scr77174.ps1, ASCII 9->34 dropped 66 System process connects to network (likely due to code injection or exploit) 9->66 68 VBScript performs obfuscated calls to suspicious functions 9->68 70 Wscript starts Powershell (via cmd or directly) 9->70 72 5 other signatures 9->72 14 powershell.exe 17 9->14         started        18 PING.EXE 1 9->18         started        file6 signatures7 process8 dnsIp9 36 C:\Users\...\JXCJKXCJHKJHXCJHKXCXCJHK.exe, PE32 14->36 dropped 80 Found suspicious powershell code related to unpacking or dynamic code loading 14->80 82 Powershell drops PE file 14->82 21 JXCJKXCJHKJHXCJHKXCXCJHK.exe 15 3 14->21         started        24 conhost.exe 14->24         started        44 google.com 142.250.80.78 GOOGLEUS United States 18->44 26 conhost.exe 18->26         started        file10 signatures11 process12 signatures13 58 Antivirus detection for dropped file 21->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->62 64 3 other signatures 21->64 28 JXCJKXCJHKJHXCJHKXCXCJHK.exe 2 21->28         started        process14 dnsIp15 48 ip-api.com 208.95.112.1, 49698, 80 TUT-ASUS United States 28->48 74 Tries to steal Mail credentials (via file / registry access) 28->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->76 78 Tries to harvest and steal browser information (history, passwords, etc) 28->78 signatures16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-26 04:37:52 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5h5mu7seqr554n3ihgmz752jdi77wbaj6r7boblauzh2q6hl3nkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
39711f9ed69e976f7d9ef46eb054961108e4bf50cb0d325224cf49cad65c0844
AgentTesla
4134e809b4215bcc9028ec5a5c7bf398a6c03ac5188c53481ac44deadd8c2af5
AgentTesla
9a2ebcdc6008be237ef88cb4042305090c4c4e9202a6805d76f9aaaa6a84def9
AgentTesla
df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
AgentTesla
error
AgentTesla
fd8ea7b40be90b4c239e81785b0f33e38ec3683964e714b25d69585144006def
AgentTesla
+ 3'601 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250326-hstqmsslv8/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
AgentTesla
Agenttesla family
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9faca7e4484/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Visual Basic Script (vbs) vbs e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments