MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
SHA3-384 hash: 741ae09dbe41081125bb4a93ecb5f22f217e0526094d9dcd57667e597253016569e37136442ebac8fe984c3cdf8107e5
SHA1 hash: e7bfde31a95148dc223347df2ed2ea436d4be041
MD5 hash: 03e2a0c33e613d9aabf9167bd28cf3c7
humanhash: don-lithium-sweet-lion
File name:APR 20204 RFQ .xlsx.vbs
Download: download sample
Signature AgentTesla
Create hunting rule
File size:285'658 bytes
First seen:2024-04-17 09:32:00 UTC
Last seen:2024-04-17 15:52:29 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:LTdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOiw80ewc4FW:HnS2Im1OwE5v
Threatray 499 similar samples on MalwareBazaar
TLSH T1F0544BA0CFCA26394F4B2FDABD60459289FC8159021224BDE6D907AD7243D6CD3FED58
Reporter cocaman
Tags:AgentTesla RFQ vbs

Intelligence

File Origin
# of uploads :
5
# of downloads :
97
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus finger lolbin masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/661f971354bafb7d21d057ba/reports/4d340256-4b5c-494e-bab8-57e245099424/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1427275
Signature
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427275 Sample: APR 20204 RFQ .xlsx.vbs Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 53 mail.myhydropowered.com 2->53 55 ip-api.com 2->55 57 3 other IPs or domains 2->57 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 12 other signatures 2->69 11 wscript.exe 1 2->11         started        14 FTSKIaM.exe 1 2->14         started        16 FTSKIaM.exe 3 1 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 signatures5 91 VBScript performs obfuscated calls to suspicious functions 11->91 93 Suspicious powershell command line found 11->93 95 Wscript starts Powershell (via cmd or directly) 11->95 97 3 other signatures 11->97 20 powershell.exe 14 19 11->20         started        24 WmiPrvSE.exe 11->24         started        process6 dnsIp7 59 drive.google.com 173.194.219.100, 443, 49706, 49715 GOOGLEUS United States 20->59 61 drive.usercontent.google.com 64.233.177.132, 443, 49707, 49716 GOOGLEUS United States 20->61 79 Suspicious powershell command line found 20->79 81 Very long command line found 20->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 20->83 26 powershell.exe 17 20->26         started        29 conhost.exe 20->29         started        31 cmd.exe 1 20->31         started        signatures8 process9 signatures10 85 Writes to foreign memory regions 26->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 26->87 33 wab.exe 18 11 26->33         started        38 cmd.exe 1 26->38         started        process11 dnsIp12 49 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 33->49 51 api.ipify.org 172.67.74.152, 443, 49717 CLOUDFLARENETUS United States 33->51 47 C:\Users\user\AppData\Roaming\...\FTSKIaM.exe, PE32 33->47 dropped 71 Tries to steal Mail credentials (via file / registry access) 33->71 73 Creates multiple autostart registry keys 33->73 75 Tries to harvest and steal browser information (history, passwords, etc) 33->75 77 2 other signatures 33->77 40 cmd.exe 1 33->40         started        file13 signatures14 process15 process16 42 reg.exe 1 1 40->42         started        45 conhost.exe 40->45         started        signatures17 89 Creates multiple autostart registry keys 42->89
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-04-17 08:49:43 UTC
File Type:
Text (VBS)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=655zkostuyd6kncxf3narx5ksgwwd5jeshuzqkqhscdjzafhctca._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0c3a38ca1a01a40daf13699cae74d8903aeb6362f75611dbd8df3430b850026b
AgentTesla
30ae6b9b8d5a28d2654eee377584df778fac3bf8b1bd89f653a862afc3cfaa5f
AgentTesla
4c97b96baa6e3c1ef907482abe84083c8813d45545d138ec5b9cc456f0027e1b
AgentTesla
6206e88335305e4230178b9e72d7c0619cdddf1d470fad04d7a5af3cc3e76dbd
AgentTesla
6a51343d2fa02ae2b255794576460b49b07ea29e6105abc0816831dbbf3a2197
AgentTesla
98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
AgentTesla
b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546
AgentTesla
e0516ae8e938052542c7e7a89713f02c0acf64a7ae9fe210ddbcd618d995e70b
AgentTesla
e156c4e8e53c6b93166fea54fb521d9eb8bc74143ad52697a28809f5639205cf
AgentTesla
f8e3cac8de2e01c04c8fcf7dd92d9c3187a5a53e40b9c22e4be574bd71217a7a
AgentTesla
+ 489 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240417-lhlttscf2y/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Guloader,Cloudeye
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f77b953a53a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd

AgentTesla

Visual Basic Script (vbs) vbs f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd
  
Dropped by
MD5 840ea25205acdee63e20a20bb011b42b

Comments