MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f
SHA3-384 hash: b7075f9a40cc891e86d3bd4782aff96ac48f449cea69f4c81a75d394a803abfe2e999bbd3415488c67f303c61f96c994
SHA1 hash: db9625ce5cb3f368c1af265cf1e9992e8dc52369
MD5 hash: 94586a85ea19bd97f933bc61a6e9e03b
humanhash: charlie-mango-sweet-social
File name:EMAILMING BANK PAPER PAYMENT OF USD 8,8867.06.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:142'280 bytes
First seen:2025-02-10 18:58:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:G+tSPVW2d3KfVEVIjj8hzGjSG/zgP45BpZd+hUT:kPVCAnzGjvzu43TghUT
Threatray 5 similar samples on MalwareBazaar
TLSH T178D3BE858B284B8D376034B379C4C34F0E6CDDF688085A2FA4109D7D9DF5A1EBBE9925
Magika vba
Reporter abuse_ch
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.27070.27545.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aa4cadf667f46cd182df92
Tags:
autorun lien
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1611355
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1611355 Sample: EMAILMING BANK PAPER PAYMEN... Startdate: 10/02/2025 Architecture: WINDOWS Score: 100 65 api.telegram.org 2->65 67 api.ipify.org 2->67 69 0x0.st 2->69 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 91 14 other signatures 2->91 9 wscript.exe 2 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 1 2->14         started        16 6 other processes 2->16 signatures3 89 Uses the Telegram API (likely for C&C communication) 65->89 process4 signatures5 105 VBScript performs obfuscated calls to suspicious functions 9->105 107 Wscript starts Powershell (via cmd or directly) 9->107 109 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->109 111 Suspicious execution chain found 9->111 18 cmd.exe 1 9->18         started        21 cmd.exe 12->21         started        23 conhost.exe 12->23         started        25 cmd.exe 1 14->25         started        27 conhost.exe 14->27         started        29 cmd.exe 1 16->29         started        31 cmd.exe 1 16->31         started        33 cmd.exe 1 16->33         started        35 9 other processes 16->35 process6 signatures7 77 Suspicious powershell command line found 18->77 79 Wscript starts Powershell (via cmd or directly) 18->79 81 Bypasses PowerShell execution policy 18->81 37 cmd.exe 2 18->37         started        40 conhost.exe 18->40         started        42 powershell.exe 21->42         started        44 conhost.exe 21->44         started        46 2 other processes 25->46 48 2 other processes 29->48 50 2 other processes 31->50 52 2 other processes 33->52 54 6 other processes 35->54 process8 signatures9 93 Suspicious powershell command line found 37->93 95 Wscript starts Powershell (via cmd or directly) 37->95 56 powershell.exe 15 17 37->56         started        61 conhost.exe 37->61         started        97 Tries to steal Mail credentials (via file / registry access) 42->97 99 Tries to harvest and steal ftp login credentials 42->99 101 Tries to harvest and steal browser information (history, passwords, etc) 42->101 103 Installs a global keyboard hook 54->103 process10 dnsIp11 71 api.telegram.org 149.154.167.220, 443, 49711, 49806 TELEGRAMRU United Kingdom 56->71 73 0x0.st 168.119.145.117, 443, 49703, 49785 HETZNER-ASDE Germany 56->73 75 api.ipify.org 104.26.12.205, 443, 49704, 49797 CLOUDFLARENETUS United States 56->75 63 C:\Users\user\...\StartupScript_024fc76e.cmd, ASCII 56->63 dropped 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->113 115 Tries to steal Mail credentials (via file / registry access) 56->115 117 Found suspicious powershell code related to unpacking or dynamic code loading 56->117 119 Installs a global keyboard hook 56->119 file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-02-10 18:59:16 UTC
File Type:
Text (VBS)
AV detection:
4 of 38 (10.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fbjdjpwsisofd6ljhzt23unui5i77mjsj522usxdlgvbyebmipq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
AgentTesla
8c60db4a7fb86932e648d746f942fe4d44b3f2af25acd838328a51e664e65d19
AgentTesla
dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14
AgentTesla
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250210-xm664s1rgj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
AgentTesla
Agenttesla family
Malware Config
C2 Extraction:
https://api.telegram.org/bot5834796283:AAGrwY-Kkn2VgcNc7OCI3d_ssicyDA9JZcg/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f14291a5f692/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f14291a5f69224e28fcb49f33d6e8da23a8ffd89927bad52571acd50e081621f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments