MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508
SHA3-384 hash: 26bdacf0ff7b564be7a1bac184d581747d38e9418cbe478df005ff8410017e8cdd05a52f3a6ca95cf62c1d20383bb4b0
SHA1 hash: c675f8a2c489bedd003144e4258e1480126ebeb0
MD5 hash: 3f4f0c24c3dccdedcfa38d3bb2172d21
humanhash: twenty-mississippi-bluebird-network
File name:059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508
Download: download sample
Signature AgentTesla
Create hunting rule
File size:695'296 bytes
First seen:2022-09-21 03:53:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44351d6ca1a3d6fc3cf96f81275d6bb9 (1 x AgentTesla)
ssdeep 12288:ifTHFeFlI6wvP/HNsgNDQLvQfPIB7a2fXMsh0YYb6ylsMUUMI1:EzFWI6wfNsgOq47RXvPYb6ylsMiI1
TLSH T192E4AF23A6E05C32F16236785C4B576C9936FE103969AD462BE92C0C9F397813C7B397
TrID 50.0% (.EXE) InstallShield setup (43053/19/16)
16.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.2% (.SCR) Windows screen saver (13101/52/3)
5.2% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
dhash icon 6961698d9ded685e (1 x AgentTesla)
Reporter vxunderground
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
GOC_PSC-0015.PDF.exe
Verdict:
Malicious activity
Analysis date:
2019-05-15 08:36:00 UTC
Tags:
installer keylogger stealer agenttesla evasion trojan rat
Link:
https://app.any.run/tasks/fa51456d-3392-4fab-8c2c-a552a3de6923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311849/
Detection(s):
Win.Dropper.Remcos-6970629-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38337/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/632a8b5ab333b2ec6b3c95f8/reports/0cb9c92c-082e-4a77-8fb3-0cd7eaf4147c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83e6f106-0466-46a2-a4b6-dfccb6afb58c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074218
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 706760 Sample: Ns5GXXzW0s.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 27 checkip.eu-west-1.prod.check-ip.aws.a2z.com 2->27 29 checkip.check-ip.aws.a2z.com 2->29 31 checkip.amazonaws.com 2->31 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 7 MyApp.exe 2->7         started        10 Ns5GXXzW0s.exe 2->10         started        12 MyApp.exe 2->12         started        signatures3 process4 signatures5 49 Antivirus detection for dropped file 7->49 51 Multi AV Scanner detection for dropped file 7->51 53 Detected unpacking (changes PE section rights) 7->53 55 Machine Learning detection for dropped file 7->55 14 MyApp.exe 16 7->14         started        57 Detected unpacking (overwrites its own PE header) 10->57 59 May check the online IP address of the machine 10->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->61 63 Contains functionality to detect sleep reduction / modifications 10->63 18 Ns5GXXzW0s.exe 17 19 10->18         started        65 Maps a DLL or memory area into another process 12->65 21 MyApp.exe 4 12->21         started        process6 dnsIp7 33 mail.parmanand.in 14->33 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->67 69 Tries to steal Mail credentials (via file / registry access) 14->69 71 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->71 75 2 other signatures 14->75 35 mail.parmanand.in 18->35 37 parmanand.in 103.108.220.224, 49711, 49725, 587 WEBWERKS-ASWebWerksIndiaPvtLtdIN India 18->37 39 3 other IPs or domains 18->39 23 C:\Users\user\AppData\Roaming\...\MyApp.exe, PE32 18->23 dropped 25 C:\Users\user\...\MyApp.exe:Zone.Identifier, ASCII 18->25 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->73 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2019-05-15 01:39:18 UTC
File Type:
PE (Exe)
Extracted files:
173
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awnzpuw3kkatavxl3n6w5iwksd42pminjaj3sgns5j4ebctocuea._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220921-ef7vysehe7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4022a39e-ed98-4836-96ef-ba6e934964f8
Unpacked files
SH256 hash:
2e9a24464651c7aa2f3b651a643ed8c3bf561af846544316e3ccf59dcda3cae9
MD5 hash:
cad47961c4d910a0a26e5d752ecca1cf
SHA1 hash:
0a5e2384b986de53990bc601cce83f8bb0fc9e00
Detections:
win_agent_tesla_g2
Create hunting rule
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/1868690f-cb27-4f3c-9f6d-286a49a4de53/
SH256 hash:
f5b1f4350c6f5c8860f5fcb388208a5d519bbd8284bc5fe4351195e7f0d14900
MD5 hash:
6fec64f4c0fffe6c666002eb94785ee3
SHA1 hash:
ddf00224b2c1861e2c2a2d41822a661fa34613cc
Detections:
win_agent_tesla_g2
Create hunting rule
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/1868690f-cb27-4f3c-9f6d-286a49a4de53/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/1868690f-cb27-4f3c-9f6d-286a49a4de53/
SH256 hash:
059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508
MD5 hash:
3f4f0c24c3dccdedcfa38d3bb2172d21
SHA1 hash:
c675f8a2c489bedd003144e4258e1480126ebeb0
Link:
https://www.unpac.me/results/1868690f-cb27-4f3c-9f6d-286a49a4de53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311849/

Comments