MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7
SHA3-384 hash: 88259ae2b9b9334f0a13ad06051b9e394527ca16a9df65384327d74e9e0f2ee5179d030218a6698dbc7a9e6c44fe195c
SHA1 hash: 94eb4980ef99a1153de7546d432288da54e4dd2d
MD5 hash: 32b910a06c3169b599852dad6c181ed6
humanhash: finch-bulldog-september-wolfram
File name:32b910a06c3169b599852dad6c181ed6
Download: download sample
Signature AgentTesla
Create hunting rule
File size:906'752 bytes
First seen:2023-05-09 01:05:34 UTC
Last seen:2023-05-13 22:42:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:U61Hf0xPmazen+kUgm/NI83RlmLxT1gyLwYHivTwIwuIbK6eYoXNLcPb0VotlsLH:THf0xuaXfg7a72N1fHZ
Threatray 1'113 similar samples on MalwareBazaar
TLSH T1D315AE68B361A58EC407CD334A5CFC7056217CAB7AC7C11261D73F9BBB6EA869E00197
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 04e425252525e404 (3 x AgentTesla)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32b910a06c3169b599852dad6c181ed6
Verdict:
Malicious activity
Analysis date:
2023-05-09 01:08:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc034cfa-8094-4e8e-b2e0-7981559de6fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387631/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys packed
Link:
https://www.filescan.io/uploads/64599c7dd860ee3e1ca64bf5/reports/a832d764-6f45-4bd2-b594-aabd44596da5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cab8ce4b-f384-47d5-bfa1-f9b96d8e1567
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228775
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 861739 Sample: sSFjcPIxUW.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 6 other signatures 2->57 7 sSFjcPIxUW.exe 7 2->7         started        11 NRxRXfYhgW.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...35RxRXfYhgW.exe, PE32 7->35 dropped 37 C:\Users\...37RxRXfYhgW.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp37FD.tmp, XML 7->39 dropped 41 C:\Users\user\AppData\...\sSFjcPIxUW.exe.log, ASCII 7->41 dropped 59 Detected unpacking (changes PE section rights) 7->59 61 Detected unpacking (overwrites its own PE header) 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 71 2 other signatures 7->71 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 17 7->17         started        19 powershell.exe 16 7->19         started        21 schtasks.exe 1 7->21         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Writes to foreign memory regions 11->69 23 RegSvcs.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 api4.ipify.org 64.185.227.155, 443, 49699, 49701 WEBNXUS United States 13->43 45 api.telegram.org 149.154.167.220, 443, 49700, 49702 TELEGRAMRU United Kingdom 13->45 47 api.ipify.org 13->47 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->75 77 May check the online IP address of the machine 13->77 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        49 api.ipify.org 23->49 79 Tries to steal Mail credentials (via file / registry access) 23->79 81 Tries to harvest and steal browser information (history, passwords, etc) 23->81 33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 09:51:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ac2gpc4u3ccnky4l2jyo2dcc6idjp25rxitunukliviv3jb32o3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
251ca0215e976403d529fba60bd67ca614a3e6b18a7f2420c64acbf31400ed7c
AgentTesla
487684e01b232a60cff5d2eb9c1a438e3b6545a6e2610771084079bdf42764fd
AgentTesla
6c9edf76efc88d3ae9ba10f36ac4e5b30ad4b5766a41729bba53f78fba84c0bc
AgentTesla
bc6f73a3805a709752228323fa42bf2806fe584f479496f6647db7ca05136299
AgentTesla
e94f95707bc1ee3c1516cce43846a594acf5a1024ae7a76cb34afe5639fe95b5
AgentTesla
ecc62761886dac7775e9dcf2c323e300a5c694e1322496a1ad66808eb7dfd940
AgentTesla
+ 1'103 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230509-bf3z8afd9y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Unpacked files
SH256 hash:
8b6897340984e35dba937364681bd98592594774504daf0a724c843c00b95341
MD5 hash:
3a566b5e883a0c0cdfe09cd5d64bce6f
SHA1 hash:
9cbdec781d7aabbe6286474833877aa6ca030951
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
Parent samples :
02e5efb34c7a49fdfa2aa6e1399060c94f2de759c15040aaea1499062a3f9901
2463a1d5e35dde5253c9706b07f3eef1166488a56437dc94c816a269770f8073
00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7
1eff050baff83ae24c33483e5d79a58d2ca3370b8716332ac88c1c704338c3b1
bebd0c5009a5b0b0a06fbe0020bd6f083ed90509771dbf1f8010e19e527bf464
b63331b6052cd2cdecf84fd9a481bc30a5c8404d09a5694700a6b79f5d76514a
1ce24db77fddb5022011d0407f93d6217b84ad6e18bf9be127bd8d2808423b73
8eb1f5551a27d2fe1366393c4fc787ebf70dd0d394e1d229bd8a5ba34f418bb3
da59dd1b2e20e25f770267c503b455d48c710a285721f78ab1a8070200d67261
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75
801b442b0666a9911fdbd15b4ef325314af7b9459c10da89a4568088cc1a9ee2
SH256 hash:
9aeb58f8db7f6f8b8a91f4c9daff11ea1cf9b63ffaf420f89a10c345a3d65644
MD5 hash:
d8efc08e8b28f782edf68762aba31f60
SHA1 hash:
9c0255229dc4584e3a67e054905094466774db8b
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
SH256 hash:
ec043ad40038640b97519e951095d3f5de6a670ad33ab0de52d7b8c43d51e307
MD5 hash:
c36383574e94f55b856f231948308b5d
SHA1 hash:
7d8de0c454873dc6ef3d82c08d9f48199b637618
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
SH256 hash:
ee0add637e18a0f8aafbe5b3f4cac89e1ff12b9f2908a5756c0e019f7398dd48
MD5 hash:
7dbd3b1e14287539e8e581d428d515b1
SHA1 hash:
48d10e03432afb3ca71ad27c74ac5c9ee71c6fb3
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
SH256 hash:
00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7
MD5 hash:
32b910a06c3169b599852dad6c181ed6
SHA1 hash:
94eb4980ef99a1153de7546d432288da54e4dd2d
Link:
https://www.unpac.me/results/e41264b0-334e-4fe2-a578-afb64589bc98/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00b4678b94d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2627410/
Cape
Cape
https://www.capesandbox.com/analysis/387631/

Comments


Avatar
zbet commented on 2023-05-09 01:05:35 UTC

url : hxxp://198.23.188.135/55/vbc.exe