MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
SHA3-384 hash: 6d0e22072fc8916182425e357522f0b7ecce6b4fce4a5ed5591ef0ea77d72320a9257ebd53fc26cf37c7de94fce83543
SHA1 hash: b8416bf15688ad1be2fb8c74e965d80acf0d33e7
MD5 hash: 119f82623a009242c09fb50f57dd6c59
humanhash: fruit-steak-oranges-finch
File name:0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
Download: download sample
Signature AgentTesla
Create hunting rule
File size:656'384 bytes
First seen:2023-05-14 09:42:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qKakIPRUi+gf5BP2QTbz0cOdHSFJf6XaRQ+kCwNqUry:HIPz+wdoyhRQLHTy
Threatray 2'822 similar samples on MalwareBazaar
TLSH T167D49D63F135CADFED713BA5C14DE799BE60D412E055F0A13E0A20C8DAA57E21E8C17A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter petikvx
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
Verdict:
No threats detected
Analysis date:
2023-05-14 09:46:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8cbb3cf-e4c0-40b7-a84d-a8d51d076448

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389322/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66778636.13243.4063.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6460ad26fcd24773a4dc09a5/reports/7a7eda8a-88f0-4436-9ec4-4bfaa771a1fd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffc2d68f-dfe0-48f5-b99c-e552b751df95
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1232732
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-30 21:33:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awjcedeq42qt6cmhvnqaw67ob7g35mtrbjqltrn7bqta55hrwfva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
030c152d386b5849508a740eecad662de4e716ad593eb95863c93bb9be046a62
AgentTesla
33b5ccf1b3b48e22ab607320e0bb143ad0ac2a9770b0e385c0365366de472ceb
AgentTesla
7e17d20032413cfa6dc32271e7a386b32a4cc79744171f9f2d9b895444c5e110
AgentTesla
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
AgentTesla
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75
AgentTesla
a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
AgentTesla
b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3
AgentTesla
b81b5d7a927299cc54748988d70523c615e82e21482652510a1a95db89b3521d
AgentTesla
bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02
AgentTesla
dae4a7ae7b88e0e864d2dac3ebabee86916b29c609623b754fbd253d2812a491
AgentTesla
+ 2'812 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230514-lpw85sdg7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f1e5335a6e1e0d72dedd9edf946bef357c646fd7ced4140d6407b8adb8fddde4
MD5 hash:
169c6d8526b7f9fa4395e9bc61c4973f
SHA1 hash:
043e4369aa16fc7e668a789a6e2b3d8b27d1dae9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
Parent samples :
b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3
0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
SH256 hash:
c0fc32c63f0205cb9f2e5a083beea138083457c79273c4d173b291b53870db5b
MD5 hash:
1bed7d42cb4124979ef83dfed99537e0
SHA1 hash:
552634d957015dccd86c424a5ffb926ed8d3beee
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
SH256 hash:
d1a3f444e602cc8d78d74a9ef3ff076fc81b3cfb39b48f5b8393f33562dfbf85
MD5 hash:
85d01b777af01735ca9f86c5f613ebb0
SHA1 hash:
3b5a583dabc75ef8e1bf7fc2e543eb139a9ddf09
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
SH256 hash:
3cb0b4b0b148696f26ab4b448317759937b8f8e92a63287cbe31fb596fddafe6
MD5 hash:
627bbf583fa49993b9c1f0d25c344d88
SHA1 hash:
0f29930aff2492d7d7eac716ba9e9d1461ec1f18
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
SH256 hash:
0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a
MD5 hash:
119f82623a009242c09fb50f57dd6c59
SHA1 hash:
b8416bf15688ad1be2fb8c74e965d80acf0d33e7
Link:
https://www.unpac.me/results/7f1c6f00-ada5-4956-9227-b8dd37f3ef48/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0592220c90e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0592220c90e6a13f0987ab600b7bee0fcdbeb2710a60b9c5bf0c260ef4f1b16a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2263990/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389322/

Comments