MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef00a6db6ae1730a8665f14be60bed809f0b8b9c57c4ab480c6addd772f1f933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ef00a6db6ae1730a8665f14be60bed809f0b8b9c57c4ab480c6addd772f1f933
SHA3-384 hash:	724fc89ca308ff8401d0c26b24f9cb20754bd3cfbf8ee9c518573cdbe78bd02d4d3d3c0b9351b80060a130ef5b807116
SHA1 hash:	752ba9edcc7060b406b0c7aa754b87c600310b14
MD5 hash:	5b3ab16bb12041f04fe9dc0fd77f464f
humanhash:	hydrogen-tango-whiskey-charlie
File name:	PO#190384 .vbs
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'197 bytes
First seen:	2021-10-28 15:27:45 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:fV4Uz6///BPosJK0xAU5iexBFN0oFnPIZ///k+AaC:d4SGgoK0xARe4YnPpJ
Threatray	12'381 similar samples on MalwareBazaar
TLSH	T1EE218611DC23FFE20830E3956CC4D5EEC5F868C017B078BC8288BE1A68BE06D699D4B1
Reporter	abuse_ch
Tags:	AgentTesla vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/200974/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.32497.11893.5810.UNOFFICIAL

Result

Verdict:

UNKNOWN

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/878712

Signature

.NET source code contains very large array initializations

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Obfuscated command line found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

VBScript performs obfuscated calls to suspicious functions

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AgentTesla

Yara detected Powershell download and execute

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef00a6db6ae1730a8665f14be60bed809f0b8b9c57c4ab480c6addd772f1f933/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2021-10-28 07:25:51 UTC

AV detection:

7 of 28 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54aknw3k4fzqvbtf6ff6mc7nqcpqxc44k7ckwsamnlo5o4xr7ezq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

04eb7b281d4f5e37659e295549491d704bb22c94f1bfea7b0f208701fd15f16d

203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f

3bd531bf7f5b3d7b331a325ebc1f71d8b59c5db9b0c03287137beb0931012a09

6200e6a721132d15b787150d21ed3d1a153dcafa0068d7785286a84820d2cb94

75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f

89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f

b9c0b6dd76212644b551d5b8ea745b3f14f6c92365e767836382a4c8ea54906b

be210663fa2f732768adccd12d26b56cc23740d433481f748ce7401c75f41e72

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

+ 12'371 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/211028-s4sylagfan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Blocklisted process makes network request

Malware Config

Dropper Extraction:

https://saffdsfssfsdfd.000webhostapp.com/tttt.txt

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ef00a6db6ae1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef00a6db6ae1730a8665f14be60bed809f0b8b9c57c4ab480c6addd772f1f933

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/200974/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample