MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf
SHA3-384 hash: c50122ed9dbcd38e0b4bc9f01227d96237878dd75588f1cd0138744d5420bb02d7ebabcd3725d7d1214b5906e6deda9c
SHA1 hash: cd741ade0d9c73f1377b12dbe2e6315b84ba1193
MD5 hash: 28b3fe92d68e8091ad4044c68e4c80d9
humanhash: sink-xray-gee-dakota
File name:ESL.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:273'024 bytes
First seen:2023-08-24 13:45:26 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:7jggu69uoByrswI0EAELwEUE+m4E7EvwvXdlPQQJLQQFQ5f35q4HWXFBNAwJrN93:7jgguBVFRdZ1Q
Threatray 5'494 similar samples on MalwareBazaar
TLSH T16944A92060DE6488A5737F530BEDADE98F9BBBE1573A60AE204C43878753E44CE65731
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:AgentTesla vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444545/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-JI.27525.14178.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296730
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and load assembly
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1296730 Sample: ESL.vbs Startdate: 24/08/2023 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 8 other signatures 2->81 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 89 VBScript performs obfuscated calls to suspicious functions 8->89 91 Suspicious powershell command line found 8->91 93 Wscript starts Powershell (via cmd or directly) 8->93 13 cmd.exe 1 8->13         started        16 powershell.exe 7 8->16         started        95 Very long command line found 11->95 18 powershell.exe 11->18         started        20 cmd.exe 1 11->20         started        process5 signatures6 113 Wscript starts Powershell (via cmd or directly) 13->113 115 Uses ping.exe to sleep 13->115 117 Uses ping.exe to check the status of other devices and networks 13->117 22 cmd.exe 1 13->22         started        25 PING.EXE 1 13->25         started        28 conhost.exe 13->28         started        119 Suspicious powershell command line found 16->119 30 powershell.exe 14 14 16->30         started        32 conhost.exe 16->32         started        34 powershell.exe 18->34         started        36 conhost.exe 18->36         started        38 cmd.exe 1 20->38         started        40 2 other processes 20->40 process7 dnsIp8 83 Wscript starts Powershell (via cmd or directly) 22->83 42 powershell.exe 9 22->42         started        57 127.0.0.1 unknown unknown 25->57 59 uploaddeimagens.com.br 188.114.96.7, 443, 49706 CLOUDFLARENETUS European Union 30->59 61 94.156.161.167, 49707, 49725, 80 NET1-ASBG Bulgaria 30->61 85 Writes to foreign memory regions 30->85 87 Injects a PE file into a foreign processes 30->87 46 RegAsm.exe 15 2 30->46         started        63 188.114.97.7, 443, 49724 CLOUDFLARENETUS European Union 34->63 49 RegAsm.exe 2 34->49         started        51 RegAsm.exe 34->51         started        53 powershell.exe 9 38->53         started        signatures9 process10 dnsIp11 55 C:\Users\user\AppData\Roaming\...\WLDY.vbs, Unicode 42->55 dropped 97 Suspicious powershell command line found 42->97 99 Drops VBS files to the startup folder 42->99 101 Found suspicious powershell code related to unpacking or dynamic code loading 42->101 65 awelleh3.top 185.198.59.26, 49709, 49728, 587 HSAE Netherlands 46->65 67 mail.awelleh3.top 46->67 73 2 other IPs or domains 46->73 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->103 105 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->105 107 May check the online IP address of the machine 46->107 69 mail.awelleh3.top 49->69 71 api.ipify.org 49->71 109 Tries to steal Mail credentials (via file / registry access) 49->109 111 Tries to harvest and steal browser information (history, passwords, etc) 49->111 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 13:45:24 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6juii4trrjnqxy5wjv7lmr3cbyml6xhnexabxos6alcuzop3a67q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f
AgentTesla
30528f2a9ca10a996d5aab72a69b77635328ca16983461cb55f22fb5b7ccf6ec
AgentTesla
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
AgentTesla
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
AgentTesla
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
AgentTesla
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
AgentTesla
db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de
AgentTesla
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
AgentTesla
+ 5'484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230824-q2y1qaee2s/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2688472718a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/f2688472718a5b0be3b64d7eb647620e18bf5ced25c01bba5e02c54cb9fb07bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/444545/
  
URLhaus
https://urlhaus.abuse.ch/url/2706780/

Comments