MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df
SHA3-384 hash: 7d791292e2d73da41ced4f8457f861635747290eccce2241fbb84f41604ab7c761f407be7fb0e7d18f6228bdb256d76b
SHA1 hash: ff562751dc0bc00d2d47ce2d4a2b1dc85c5284b5
MD5 hash: 25df456a869d743850ff06b2e6c767d4
humanhash: echo-washington-rugby-delaware
File name:Swift Dekont.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'184'768 bytes
First seen:2023-07-22 08:34:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:fR0Txd7nPeWHxfAfrms5xvHdxSAZOQZ53KrEVvW+f18ICh/iRZCBcvkq8cT:fRHOoKYFx4QD3518IWiRYMkqV
Threatray 5'291 similar samples on MalwareBazaar
TLSH T112453AA460B84967D87ACFF19EE5942231D2AE6E7064C43C59D677961273302F0CBE2F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Swift Dekont.exe
Verdict:
Malicious activity
Analysis date:
2023-07-22 08:35:56 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/ba8d3798-775e-4a3a-a95c-5ad5a30d673e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/428439/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Loki.24223.4555.20195.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9fd50ec3-5fd3-426d-b31d-6b44d1a4a796
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1277742
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 08:00:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azmeklgmpaziquwhsvej6fm5v3tigpubahobnletkoggy7elhhpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0025fa6f194a33862ff4241a1fefed9477645cb36cb99e65d05b639b29dcdcdd
AgentTesla
1597a822acdb8c788ba0e7bf4f9c11460ca511f1a1c8ceda95448028347a201f
AgentTesla
22f78673c87c878a5be8e407f697613d8b1dd28f08a2419e8be224fabc3f02ea
AgentTesla
2350cd7baba805daf4c4216695cad848c3df79edd54e23aea3f953c33572c65d
AgentTesla
45f47c94a6941a53e10edf8021e157d3eb74d6dc04559057b522cc9cbe30651e
AgentTesla
9605975e8a60b03447b1b508f4fa2c0640ff6662481b622b8db8060302b01fd1
AgentTesla
aafa7dc071b01367300b6316b598054c325a199b8ce148ac8cf35f2554ba7fdf
AgentTesla
b272143faba3e752260549ef321024a235cc5719f18f5d11f46ef54f2435a7f9
AgentTesla
b4073b9936abd8f87ba521d74ecfed8e16ba3582bbf80a51da0da0c1982814ad
AgentTesla
f468e71c51b81601ee1c836199470b669e9c5dd83d931890b406dc82744bdd1a
AgentTesla
+ 5'281 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230722-kg12paac29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7f2ce177a386c4702f9cefc501c41fafa818323a42b45cdc68f7fe365644a3ef
MD5 hash:
13030994296a8ed8e0e3ff3b5e4615ea
SHA1 hash:
c6fbc5043b6e05c3b4987ec5fda9c74fcc291bf7
Link:
https://www.unpac.me/results/132a2275-216b-4550-a141-3af828c6fdd7/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/132a2275-216b-4550-a141-3af828c6fdd7/
SH256 hash:
5e80d17c3a1d419405dca3a6b1824dc5ff2fb6ee5048b9a949c6282174d35cb7
MD5 hash:
3a0116c24086df043b2c720596ffc2c5
SHA1 hash:
3b92a18d600cd0df32234cc7b4d28e76bd82b453
Link:
https://www.unpac.me/results/132a2275-216b-4550-a141-3af828c6fdd7/
SH256 hash:
eb9659fe647ed73c38a6ed5cf811392aa36230b6ff91a8588d1b5ab557757eb0
MD5 hash:
0364f8100802aade2ab6f4027e7e7c2c
SHA1 hash:
17830b30799b545cf25f676a407608ca4be4c17c
Link:
https://www.unpac.me/results/132a2275-216b-4550-a141-3af828c6fdd7/
SH256 hash:
0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df
MD5 hash:
25df456a869d743850ff06b2e6c767d4
SHA1 hash:
ff562751dc0bc00d2d47ce2d4a2b1dc85c5284b5
Link:
https://www.unpac.me/results/132a2275-216b-4550-a141-3af828c6fdd7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0658452ccc78/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0658452ccc78328852c795489f159daee6833e8101dc16ac93538c6c7c8b39df

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/428439/

Comments