MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
SHA3-384 hash: cb20074ba8877317ff35544a445dfc0dc200d2cfdf4e0eead641f8c4ed611cb074f3d4f8c0971b26f48a8b7569234dec
SHA1 hash: 119e36c87a7ff744554df17243d03181218f3086
MD5 hash: 201bf24edee169088754b5762f597ad5
humanhash: uniform-pennsylvania-two-apart
File name:SecuriteInfo.com.Win32.PWSX-gen.8648.28187
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2023-04-18 16:29:16 UTC
Last seen:2023-04-24 07:59:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Dg+Aoi1H9jEPXhlJRkquh/3kKRweH5gHkcG6ZWfSBRZOAl:k9H9YXhlJaqu+IweYXlWfQZd
Threatray 243 similar samples on MalwareBazaar
TLSH T1E6E4BE1E32239F56C26ED7F5105858713BB0A2837A2CC27DACC753CB9ABAF01168575B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
279
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.8648.28187
Verdict:
Malicious activity
Analysis date:
2023-04-18 16:30:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fccbae54-2bce-4bd2-bc9b-d1154d95b465

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383078/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.8648.28187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/643ec58d48716a65fb205acd/reports/57b03b41-82fc-4f5f-9769-0bccde4d7655/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8010c8ea-fd76-4f6c-9a9f-8b37da4c30c0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216159
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849083 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 7 SecuriteInfo.com.Win32.PWSX-gen.8648.28187.exe 7 2->7         started        11 AChPSdweybBrc.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\AChPSdweybBrc.exe, PE32 7->31 dropped 33 C:\...\AChPSdweybBrc.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE836.tmp, XML 7->35 dropped 37 SecuriteInfo.com.W....8648.28187.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 63 Adds a directory exclusion to Windows Defender 7->63 13 SecuriteInfo.com.Win32.PWSX-gen.8648.28187.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 21 AChPSdweybBrc.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 masarusering.com 68.66.248.44, 49708, 49710, 587 A2HOSTINGUS United States 13->39 41 mail.masarusering.com 13->41 47 2 other IPs or domains 13->47 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.masarusering.com 21->43 45 api.ipify.org 21->45 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ailjk4mjdk3tgmac7gb5gvclfj4ko5or2vpvstc44smihmii6pxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580
AgentTesla
5a9397f2ec2a6609708ad1bbbff41e1d6d099d863d0714003d35070be9786edd
AgentTesla
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
AgentTesla
7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
+ 233 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-tzsygacf76/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
937640e236fb61845f43e8f7264480bcd719175232575c5605c7617e1c94cc5b
MD5 hash:
28e98e16464eb19b358088d910eb13ff
SHA1 hash:
f5e7980d34d7d70357d4aaa63c6c5ce5184e8fce
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
SH256 hash:
6c0b86fddf25aefede58eb1522e44d824edb55270cdada096cca63a8f854ca4f
MD5 hash:
be62fd1ea8e9dc173ff5eff33fec9a92
SHA1 hash:
f2e5127db8e62814c4ed5f529f2a35ab152cc86f
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
SH256 hash:
fc9f66bb4c515dad25a40407336875586c65c39e09fe1d941aa6a4bd7f689f49
MD5 hash:
33903dfbf0c5d7b19bd53594796d6628
SHA1 hash:
a24ea0cc30c57f129d91c0a0e3cd02914dc61446
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
SH256 hash:
f019cbfed9a48d21b57620e9e9fe44139a49d8f6ad72e1db96e13485a79684b3
MD5 hash:
9145a823fd2d38c9e827c932c0e1a688
SHA1 hash:
0fd71390162822b2571c34a0ed5289d9e09662d1
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
Parent samples :
02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
4f106e71463410c0880736786b987b0329cb64a441481794230890d48661c9b2
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
SH256 hash:
02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
MD5 hash:
201bf24edee169088754b5762f597ad5
SHA1 hash:
119e36c87a7ff744554df17243d03181218f3086
Link:
https://www.unpac.me/results/34eacb1e-79ac-47ca-94c5-e79bde02cf72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383078/

Comments